1 1 1 , 1 1 ï 1 1 1 1 1 1 1 1 1 1 1 1 1 1 ï 1 1 ñ 1 1 W V ...
ITGovernance (1)
Transcript of ITGovernance (1)
-
8/8/2019 ITGovernance (1)
1/58
IT Governance
IT GovernanceInformation Security
Governance
-
8/8/2019 ITGovernance (1)
2/58
AcknowledgmentsMaterial is sourced from: CISA Review Manual 2009, 2008, ISACA.All rights reserved.
Used by permission. CISM Review Manual 2009, 2008, ISACA.All rights reserved.
Used by permission.Author: Susan J Lincke, PhD
Univ. of Wisconsin-ParksideReviewers/Contributors: Todd Burri
Funded by National Science Foundation (NSF) Course,Curriculum and
Laboratory Improvement (CCLI) grant 0837574: InformationSecurity:Audit,Case Study, and Service Learning.Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the author(s) and/orsource(s) and do not necessarily reflect the views of the NationalScience Foundation.
-
8/8/2019 ITGovernance (1)
3/58
Corporate GovernanceCorporate Governance: Leadership by
corporate directors in creating andpresenting value for all stakeholders
IT Governance: Ensure the alignment of IT
with enterprise objectives
Responsibility of the board of directors andexecutive mgmt
-
8/8/2019 ITGovernance (1)
4/58
IT Governance Objectives IT delivers value to the business
IT risk is managed
Processes include:
Equip IS functionality and address risk
Measure performance of delivering value to thebusiness
Comply with legal and regulatory requirements
-
8/8/2019 ITGovernance (1)
5/58
IT Governance Committees
Board members
& specialists
Business executives(IT users),CIO, keyadvisors (IT, legal, audit,finance)
IT Strategic Committee
Focuses on Direction and StrategyAdvises board on IT strategy and alignment
Optimization of IT costs and risk
IT Steering Committee
Focuses on ImplementationMonitors current projectsDecides IT spending
-
8/8/2019 ITGovernance (1)
6/58
IT Strategy Committee
Main Concerns Alignment of IT with Business
Contribution of IT to the Business
Exposure & containment of IT risk
Optimization of IT costs
Achievement of strategic IT objectives
-
8/8/2019 ITGovernance (1)
7/58
IT Steering Committee
Main Concerns Make decision of IT being centralized vs.
decentralized, and assignment of responsibility
Makes recommendations for strategic plans
Approves IT architecture
Review and approves IT plans, budgets,
priorities & milestones Monitors major project plans and delivery
performance
-
8/8/2019 ITGovernance (1)
8/58
Strategic Planning ProcessStrategic: Long-term (3-5
year) direction considersorganizational goals,
regulation (and for IT:technical advances)
Tactical: 1-year plan movesorganization to strategicgoal
Operational: Detailed ortechnical plans
Strategic
Tactical
Operational
-
8/8/2019 ITGovernance (1)
9/58
Security Strategic Planning
Strategic
Tactical
Operational
Risk Mgmt LawsGovernance Policy
Organizational SecurityData classificationAudit Risk analysisBusiness continuityMetrics developmentIncident response
Physical securityNetwork securityPolicy complianceMetrics use
-
8/8/2019 ITGovernance (1)
10/58
Strategic PlanningStrategy: Achieve CMM orCOBIT Level 4
Tactical: During next 12 months: Each business unit must identify current applications in
use 25% of all stored data must be reviewed to identify
critical resources
Business units must achieve regulatory compliance A comprehensive risk assessment must be performed
for each business unit All users must undergo general security training Standards must exist for all policies
-
8/8/2019 ITGovernance (1)
11/58
Standard IT Balanced Scorecard
Mission
Strategies
Measures
Mission = Direction E.g.:
Serve business efficientlyand effectively
Strategies = Objectives E.g.:
Quality thru Availability
Process Maturity
Measures = Statistics E.g.:
Customer satisfaction
Operational efficiency
Establish a mechanism for reporting ITstrategic aims and progress to the board
-
8/8/2019 ITGovernance (1)
12/58
IT Balanced ScorecardFinancial GoalsHow should we appear tostockholder?
Vision:
Metrics:
Performance:
Internal Business Process
What business processesshould we excel at?
Vision:
Metrics:
Performance:
Customer Goals
How should we appear to ourcustomer?
Vision:
Metrics:
Performance:
Learning and Growth Goals
How will we improveinternally?
Vision:
Metrics:
Performance:
-
8/8/2019 ITGovernance (1)
13/58
EnterpriseA
rchitecture Constructing IT is similar to constructing a building
It must be designed and implemented at various levels:
Technical (Hardware, Software) IT Procedures & Operations
Business Procedures & Operations
Data Functional(App)
Network
(Tech)
People
(Org.)
Process
(Flow)
Strategy
ScopeEnterprise Model
Systems Model
Tech Model
Detailed
Representation
-
8/8/2019 ITGovernance (1)
14/58
Sourcing PracticesInsourced: Performed entirely by the organizations
staff
Outsourced: Performed entirely by a vendors staffHybrid: Partial insourced and outsourced
Onsite: Performed at IS dept site
Offsite or Nearshore: Performed in same
geographical areaOffshore: Performed in a different geographical region
What advantages can you think of for insourcing
versus outsourcing?
-
8/8/2019 ITGovernance (1)
15/58
Quality with ISO 9000
ISO 9000: Standard forQuality MgmtSystems. Recommendations include:
Quality Manual: Documented procedures HR: Documented standards for personnel
hiring, training, evaluation,
Purchasing: Documented standards forvendors: equipment & services
Gap Analysis: The difference betweenwhere you are and where you want to be
-
8/8/2019 ITGovernance (1)
16/58
Quality Definitions
Quality Assurance: Ensures that staff arefollowing quality processes: e.g., following
standards in design, coding, testing,configuration management
Quality Control: Conducts tests to validate
that software is free from defects andmeets user expectations
-
8/8/2019 ITGovernance (1)
17/58
Performance OptimizationPhases of Performance Measurement include:
Establish and update performance metrics
Establish accountability for performancemeasures
Gather and analyze performance data
Report and use performance resultsNote: Strategic direction for how to achieve
performance improvements is necessary
-
8/8/2019 ITGovernance (1)
18/58
Categories of Performance
Measures PerformanceMeasurement: What are
indicators of good IT performance?
IT Control Profile: How can we measurethe effectiveness of our controls?
Awareness: What are the risks of not
achieving our objectives?
Benchmarking: How do we performrelative to others and standards?
-
8/8/2019 ITGovernance (1)
19/58
ISA
uditor & IT Governance Is IS function aligned with organizations
mission, vision, values, objectives and
strategies? Does IS achieve performance objectives
established by the business?
Does IS comply with legal, fiduciary,
environmental, privacy, security, and qualityrequirements?
Are IS risks managed efficiently and effectively?
Is IS control effective and efficient?
-
8/8/2019 ITGovernance (1)
20/58
Audit: Recognizing Problems
End-user complaints Excessive costs or budget overruns Late projects Poor motivation - high staff turnover High volume of H/W or S/W defects Inexperienced staff lack of training Unsupported or unauthorized H/W S/W purchases
Numerous aborted or suspended development projects Reliance on one or two key personnel Poor computer response time Extensive exception reports, many not tracked to
completion
-
8/8/2019 ITGovernance (1)
21/58
Audit: Review Documentation
IT Strategies, Plans, Budgets
Security Policy Documentation
Organization charts & Job Descriptions Steering Committee Reports
System Development and Program Change Procedures
Operations Procedures
HR Manuals
QA Procedures
Contract Standards and Commitments Bidding, selection, acceptance, maintenance, compliance
-
8/8/2019 ITGovernance (1)
22/58
Question
The MOST important function of the ITdepartment is:
1. Cost effective implementation of ISfunctions
2. Alignment with business objectives
3. 24/7 Availability
4. Process improvement
-
8/8/2019 ITGovernance (1)
23/58
Question
Implement virtual private network in thenext year is a goal at the level:
1. Strategic
2. Operational
3. Tactical
4. Mission
-
8/8/2019 ITGovernance (1)
24/58
Question
Which of the following is not a valid purpose ofthe IS Audit?
1. Ensure IS strategic plan matches the intent ofthe enterprise strategic plan
2. Ensure that IS has developed documentedprocesses for software acquisition and/ordevelopment (depending on IS functions)
3. Verify that contracts followed a documentedprocess that ensures no conflicts of interest4. Investigate program code for backdoors, logic
bombs, or Trojan horses
-
8/8/2019 ITGovernance (1)
25/58
Question
The difference between where anorganization performs and where they
intend to perform is known as:
1. Gap analysis
2. Quality Control
3. Performance Measurement
4. Benchmarking
-
8/8/2019 ITGovernance (1)
26/58
Information Security
Governance
GovernancePolicy
Risk
-
8/8/2019 ITGovernance (1)
27/58
Information Security Importance Organizations are dependent upon and
are driven by information
Software = information on how to process Data, graphics retained in files
Information & computer crime hasescalated
Therefore information security must beaddressed and supported at highestlevels of the organization
-
8/8/2019 ITGovernance (1)
28/58
Security GovernanceStrategic Alignment: Security solution consistent with
organization goals and culture
Risk Management: Understand threats and cost-effectively control risk
Value Delivery: Prioritized and delivered for greatestbusiness benefit
Performance Measurement: Metrics, independent
assuranceResource Management: Security architecture
development & documentation
Process Integration: Security is integrated into a well-functioning organization
-
8/8/2019 ITGovernance (1)
29/58
Security Manager Interfaces
Audit &C
ompliance
HumanResources
Legal
BusinessUnits
QualityControl
S/WDevelop.
IT
ExecutiveMgmt
SecurityMgr
Directs &Approves
Helps in Controlimplementation
Specific area of expertise,
concern, and responsibility
Advises
Hiring,training,roles &responsibility,Incident
handling
Cooperation
Securetesting
Securityrequirements
Access control
-
8/8/2019 ITGovernance (1)
30/58
Executive Mgmt Info Security
Concerns Reduce civil and legal liability related to privacy
Provide policy and standards leadership
Control risk to acceptable levels
Optimize limited security resources
Base decisions on accurate information
Allocate responsibility for safeguardinginformation
Increase trust and improve reputation outsideorganization
-
8/8/2019 ITGovernance (1)
31/58
Personnel Issues
Background checks can reduce fraud More secure position=more checking required A standard or procedure may be useful
Training & signed contracts Track and document theft
Minor incidents could add up to a major patternproblem
Email can be monitored for potential problememployees Assuming policy is in place and employees are aware
-
8/8/2019 ITGovernance (1)
32/58
Legal Issues
International trade,employment may beliable to different
regulations than exist inthe U.S. affecting: Hiring Internet business Trans-border data flows
Cryptography Copyright, patents, trade
secrets
Industry may be liable underlegislation:
SOX: Sarbanes-Oxley:
Publicly traded corp. FISMA: Federal Info
Security Mgmt Act HIPAA: Health Insurance
Portability and
Accountability Act GLBA: Gramm-Leach-
Bliley: Financial privacy Etc.
-
8/8/2019 ITGovernance (1)
33/58
Security Governance Framework
SecurityOrganization
ComplianceMonitoring
Policies,Standards,Procedures
SecurityStrategy
SecurityFramework
-
8/8/2019 ITGovernance (1)
34/58
Security Organization
Board of Directors
Review risk assessment & Business ImpactAnalysisDefine penalties for non-compliance of policies
ExecutiveMgmt
Defines security objectives andinstitutes security organization
Security
Steering
Committee
Chief Info
Security
Officer (CISO)
Senior representatives
of business functionsensures alignmentof security program
with businessobjectives
Other positions:
Chief Risk Officer (CRO)ChiefCompliance Officer (CCO)
-
8/8/2019 ITGovernance (1)
35/58
Security Positions
Security Architect
Design secure network
topologies, accesscontrol, security policies& standards.
Evaluate securitytechnologies
Work with compliance,risk mgmt, audit
Security Administrator
Allocate access to data
under data owner Prepare security
awareness program
Test security architecture
Monitor security violationsand take corrective action
Review and evaluatesecurity policy
-
8/8/2019 ITGovernance (1)
36/58
Security Operations
Identity Mgmt & Access control
System patching & configuration mgmt
Change control & release mgmt Security metrics collection & reporting
Control technology maintenance
Incident response, investigation, andresolution
-
8/8/2019 ITGovernance (1)
37/58
Security Policy
Policy = First step to developing securityinfrastructure
Set direction for implementation ofcontrols, tools, procedures
Approved by senior mgmt
Documented and communicated to allemployees and associates
-
8/8/2019 ITGovernance (1)
38/58
Security Policy Document
Definition of information security
Statement of management commitment
Framework for approaching risk and controls Brief explanation of policies, minimally covering
regulatory compliance, training/awareness,business continuity, and consequences of
violations Allocation of responsibility, including reporting
security incidents
References to more detailed documents
-
8/8/2019 ITGovernance (1)
39/58
Policy DocumentationPolicy= Direction forControlPhilosophy of organizationCreated by Senior MgmtReviewed periodically
Employees must understand intentAuditors test for compliance
Procedures:
Detailed steps to
implement a policy.Written by processowners
Standards:An image of
what is acceptable
Guidelines
Recommendations
and acceptablealternatives
-
8/8/2019 ITGovernance (1)
40/58
Security Planning: Policies Policy Objective: Requirements Rule: Describes what needs to be
accomplished Policy Control: Technique to meet objectives
Procedure: Outlines how the Policy will be accomplished Standard: Specific rule, metric or boundary that implements policy
Example 1: Policy: Computer systems are not exposed to illegal, inappropriate, or
dangerous software Policy Control Standard: Allowed software is defined. Policy Control Procedure: A description of how to load a computer with
required software.
Example 2: Policy: Access to confidential information is controlled Policy Control Standard: Confidential information is never to be emailed
without being encryptedDiscussion: Are these effective controls by themselves?
-
8/8/2019 ITGovernance (1)
41/58
Other Policy Documents
Data Classification: Defines data securitycategories, ownership and accountability
Acceptable Usage Policy: Describes permissibleusage of IT equipment/resources
End-User Computing Policy: Defines usage andparameters of desktop tools
Access Control Policies: Defines how access
permission is defined and allocatedAfter policy documents are created, they must be
officially reviewed, updated, disseminated, andtested for compliance
-
8/8/2019 ITGovernance (1)
42/58
Secure Strategy:
Risk AssessmentFive Steps include:1. Assign Values to Assets:
Where are the Crown Jewels?
2. Determine Loss due to Threats & Vulnerabilities Confidentiality, Integrity,Availability Loss = Downtime + Recovery + Liability + Replacement
3. Estimate Likelihood of Exploitation Weekly, monthly, 1 year, 10 years?
4. Compute Expected Loss Risk Exposure = ProbabilityOfVulnerability * $Loss
5. Treat Risk Survey & Select New Controls Reduce, Transfer,Avoid orAccept Risk
-
8/8/2019 ITGovernance (1)
43/58
Risk Analysis Methods
Qualitative Analysis
Likelihood is categorized: Low, Medium, High
SemiQuantitative Analysis
Likelihood is categorized in scale: 1-10
Quantitative Analysis
Likelihood is based on historical data, pastexperience, industry practice, tests, statisticaltheory
Quantitative Analysis is the preferred method
-
8/8/2019 ITGovernance (1)
44/58
Risk StrategiesAvoid: Minimize dangerous activities
Do not open any attachments or follow links
Mitigate: Lessen the probability of danger Open attachments only from within company Buy anti-virus software, firewall, anti-spyware
Transfer: Buy insuranceAccept: Monitor for danger but continue on
dangerous path Open those attachments
Residual Risk: Remaining risk after controls areimplemented
-
8/8/2019 ITGovernance (1)
45/58
Summary of Security Mgmt
Functions Develop security strategy
Regulatory & legal issues are addressed Linked with business objectives Sr Mgmt acceptance & support Complete set of policies Standards & Procedures for all relevant policies
Security awareness for all users and security
training as needed Classified information assets by criticality and
sensitivity
-
8/8/2019 ITGovernance (1)
46/58
Summary of Security Mgmt
Functions Effective compliance & enforcement processes
Metrics are maintained and disseminated
Monitoring of compliance & controls
Utilization of security resources is effective Noncompliance is resolved in a timely manner
Effective risk mgmt and business impact assessment Risks are assessed, communicated, and managed
Controls are designed, implemented, maintained, tested
Incident and emergency response processes are tested
Business Continuity & Disaster Recover Plans are tested
-
8/8/2019 ITGovernance (1)
47/58
Summary of Security Mgmt
Functions Develop security strategy, oversee security
program, liaise with business process owners for
ongoing alignment Clear assignment of roles & responsibilities
Security participation with Change Management
Address security issues with 3rd party service
providers Liaise with other assurance providers to eliminate
gaps and overlaps
-
8/8/2019 ITGovernance (1)
48/58
Question
Documentation that would not be viewedby the IT Strategy Committee would be:
1. IT Project Plans
2. Risk Analysis & Business ImpactAnalysis
3. IT Balanced Scorecard
4. IT Policies
-
8/8/2019 ITGovernance (1)
49/58
Question
A document that describes how accesspermission is defined and allocated is
the:1. Data Classification
2. Acceptable Usage Policy
3. End-UserComputing Policy
4. Access Control Policies
-
8/8/2019 ITGovernance (1)
50/58
Question
The risk that is assumed afterimplementing controls is known as:
1. Accepted Risk
2. Annualized Loss Expectancy
3. Quantitative risk
4. Residual risk
-
8/8/2019 ITGovernance (1)
51/58
Question
The role of the Information SecurityManager in relation to the security
strategy is:1. Creator
2. Communicator to other departments
3. Reviewer4. Approving the strategy
-
8/8/2019 ITGovernance (1)
52/58
Question
Product testing is most closelyassociated with which department:
1. Audit
2. Quality Assurance
3. Quality Control
4. Compliance
-
8/8/2019 ITGovernance (1)
53/58
Question
The role most likely to test a control is the:
1. Security Administrator
2. Security Architect
3. Quality Control Analyst
4. Security Steering Committee
-
8/8/2019 ITGovernance (1)
54/58
Question
The Role responsible for defining securityobjectives and instituting a security
organization is the:1. Chief Security Officer
2. Executive Management
3. Board of Directors4. Chief Information Security Officer
-
8/8/2019 ITGovernance (1)
55/58
Question
The persons on the Security SteeringCommittee who can contribute the BEST
information relating to insuring InformationSecurity success is:
1. Chief Information Security Officer
2. Business process owners
3. Executive Management
4. Chief Information Officer
-
8/8/2019 ITGovernance (1)
56/58
Question
Passwords shall be at least 8 characters long,and require a combination of at least 3 of lower
case, upper case, numeric, or symbolscharacters. This is an example of a:
1. Standard
2. Policy
3. Procedure
4. Guideline
-
8/8/2019 ITGovernance (1)
57/58
Vocabulary to Study
High Priority IT strategic committee, IT steering committee,
Security steering committee
Mission, Strategic plan, Tactical plan,Operational plan
Quality Assurance,Quality Control
CISO,CIO,CSO, Board of Directors, ExecutiveMgmt, Security Architect, Security Administrator
Policy, Procedure, Standard, Guideline
IT Balanced Scorecard, Measure, ISO 9000
-
8/8/2019 ITGovernance (1)
58/58
Vocabulary to Study
Low Priority Enterprise Architecture
In Source, Out Source, Hybrid, Offshore,
Onsite
Acceptable Use Policy,Access ControlPolicies, Data Classification