Assessment - PowerPoint PPT Presentation

1 / 65
About This Presentation
Title:

Assessment

Description:

Impact on society, partners, clients. Loss of trustworthiness ... Safeguarding the accuracy and completeness of information and computer software. AVAILABILITY ... – PowerPoint PPT presentation

Number of Views:61
Avg rating:3.0/5.0
Slides: 66
Provided by: henksi
Category:
Tags: assessment

less

Transcript and Presenter's Notes

Title: Assessment


1
IT Auditing 9 Information Security, Code
of Practice for Information Security Management,
Certification of Information Security Dr. Ir.
Paul L. Overbeek RE Overbeek.paul_at_kpmg.nl
2
Roadmap
3
(No Transcript)
4
Agenda
  • 101 on Information Security
  • Introduction to the Code of Practice for
    Information Security Management
  • Certification of Information Security

5
What are we talking about
  • Information is essential in our business
  • Information security is integrated in our
    business processes
  • And is certainly not a specialists only-area
  • It is the responsibility of both management and
    employees
  • Information security remains a moving target
  • business new products, new markets
  • organisation mergers, take-overs,
    reorganisations, job rotation, retention
  • IT new technology, applications, operating
    systems, protocols
  • Information security is change control
  • A Pro-actif approach is required information
    security in control

6
Basic information security objectives
  • Confidentiality
  • ensuring that information is accessible only to
    those authorised to have access
  • Integrity
  • safeguarding the authenticity, accuracy and
    completeness of information and processing
    methods
  • Availability
  • ensuring that authorised users have access to
    information and associated assets when required

7
Security from a business perspective
8
Reliability requirements
measures
assets
information
9
Threats
  • Natural causes
  • Intentional actions - by authorised employees
    - by unauthorised employees / outsider
  • Human errors, mistakes - by authorised
    employees - by unauthorised employees /
    outsiders
  • Software errors
  • Hardware communication errors

10
External requirements
Social context Privacy Anonimity
Evidence Legal requirements Third party
requirements
11
Requirements set by the organisation
Organisational context- Structure-
Management- Functions and responsibilities-
Reporting structures
George W
Scrooge
Alice
Bob
Chris
12
Security measures
Organisational Physical Procedural
Technical
LOGIN
13
Incident Cycle
Threat
Prevention
Reduction
Incident
Detection
Repression
Damage
Correction
Recovery
Evaluation
14
Change is the only constant
  • Technology
  • Products and services
  • Business processes
  • Co-operation between organisations
  • Information security must change too!
  • From reactive to proactive

15
The Information Security Management Cycle
Policy
Control, organisation
Risk analysis
Feedback
Planning
OrganisationalTechnicalProceduralPhysical
Controls
Evaluation Testing
Implementation
16
Conclusion
  • Security should be based on strong organisational
    foundations from the start.
  • Why?
  • Keep up with change
  • Be prepared for incidents
  • Deal with personnel turnover
  • Avoid omissions caused by ad hoc approach
  • Create security awareness among your staff
  • Grow in the right direction

17
Basic Risk Analysis
  • Real versus perceived risks of the IT
  • What should be done with enthousiasm, what is to
    be considered, and what is far over the top
  • Good housekeeping policies, guidelines,
    organisation, responsibilities, relationships or
  • Security Management
  • Risk management
  • The risks of using IT and the management of these
    risks

18
Searching for the real risks - The threats
?
  • Natural causes
  • Intentional actions - by authorised employees
    - by unauthorised employees / outsider
  • Human errors, mistakes - by authorised
    employees - by unauthorised employees /
    outsiders
  • Software errors
  • Hardware communication errors

19
Searching for the real risks Ability to offer
a certain security quality?
  • Privacy and confidentiality
  • Persistent to hackers, etc
  • Persistent to criminality
  • Authenticity
  • Authorised use and access
  • Integrity
  • Non repudiation
  • Availability
  • Access when needed
  • Transparency (audit ability)
  • Payment
  • Compliance with regulation
  • Integration of services

?
20
Searching for the real risks Impact on your
business processes
  • Political consequences
  • Financial / economical impact
  • Commercial impact
  • Environmental impact
  • Impact on society, partners, clients
  • Loss of trustworthiness
  • Equal reaction, or worse
  • Legal aspects
  • Non compliance with laws and regulation
  • Loss or harm for civilians, clients, relations,
    partners,
  • Safety
  • Privacy
  • Culture
  • Trust
  • Local or international?
  • Corporate Image
  • Loss of good reputation / goodwill

21
Risk management
  • IT risks and the control thereof
  • Each security activity is (part of) a process
  • That needs to be managed and contained
  • A standstill implies decline
  • Information security is a set of processes
  • uniform, at all levels of your organisation

Strategy
Tactics
Operations
22
Risk Management
  • Top management demands control and therefore
    overseeing the quality of the information
    security process and the measures
  • Management information often does not address
    todays needs
  • Large quantity of activities and measures
  • Responsibilities and reporting is scattered
  • Solution
  • Uniformity
  • A structured, integrated approach
  • The Code of Practice for Information Security
    Management(BS7799/ ISO 17799 / IST 17799 / ANZ
    7799 / .)

23
Risk management being in control
  • in control of what?
  • Confidentiality
  • Integrity Information Security
  • Auditability
  • Availability
  • Effectiveness
  • Efficiency
  • Manageability
  • etc.

24
Code of Practice Introduction
  • The purpose of information security is to ensure
    business continuity and to minimize business
    damage by preventing and minimizing the impact of
    security incidents.
  • Information security management enables
    information to be shared, while ensuring the
    protection of information and computing assets.
  • The three basic components (quality aspects) of
    CoP are
  • CONFIDENTIALITY
  • INTEGRITY
  • AVAILABILITY
  • Information takes many forms. It can be stored on
    computers, transmitted across networks, printed
    out or written down on paper, and spoken in
    conversations.
  • From a security perspective, appropriate
    protection must be applied to all forms of
    information, including papers, databases, films,
    view foils, models, tapes, diskettes,
    conversation and any other methods to convey
    knowledge and ideas.

25
Positioning CoP
Top management (Board of Directors)
Policy Reporting on security health
Line management and staff
Code of Practice for IT Security
Technical security standards and
studies (Committees of EDP auditors, such as PI)
IT management and staff
Procedural
OS/390 RACF Oracle
Internet Intranet Workflow
Unix OS/400 NT
Physical
Personnel
26
UNIFORMITY CODE of Practice for Information
Security Management1999
27
CODE OF PRACTICE FOR INFORMATION SECURITY
MANAGEMENT (CoP)
  • Developed in UK and NL
  • Also published in many other countries
  • Update 1999
  • Based on best practice of participants
  • Purpose
  • intended as a standard for a baseline level of
    security (due care)
  • enable mutual trust between partners
  • suitable for small, medium and large enterprises
  • Organisational and technical measures
  • 100 pages, 10 sections, 8 essential controls
  • Note It is not an implementation standard but a
    set of guidelines and attention items. Use it
    with common sense!

28
Use of the CoP
  • 8 essential controls
  • 10 main categories
  • 36 objectives
  • 125 measures
  • Can be used for
  • Implementation of information security management
  • IT security management based on ITIL Sec Man
  • Audits en benchmarking
  • Agreements between partners (SLAs, IA)
  • Certification
  • Provides a Consistent and uniform approach

29
Code of Practice for Information Security
  • 10 Sections
  • 3 Security Policy
  • 4 Security Organisation
  • 5 Asset Classification and Control
  • 6 Personnel security
  • 7 Physical and environmental security
  • 8 Communications and operations management
  • 9 Access control
  • 10 Systems development and maintenace
  • 11 Business continuity management
  • 12 Compliance

30
Where to start
  • Essential measures from a legislative viewpoint
  • Intellectual property rigths
  • Safeguarding organisational records
  • Privacy of personal information
  • Essential measures for information security
  • Objectives / policy
  • Allocation of responsibilities for information
    security
  • Education and Training
  • Reporting security incidents
  • Business continuity management

31
CoP
  • Background information

32
CoP Background information
  • THREE PRIMARY QUALITY ASPECT (CIA)
  • CONFIDENTIALITY
  • Protecting sensitive information from
    unauthorized disclosure or intelligible
    interception
  • INTEGRITY (In revised CoP Data integrity)
  • Safeguarding the accuracy and completeness of
    information and computer software
  • AVAILABILITY
  • Ensuring that information and vital services are
    available to the business processes when required
  • CoP DEALS WITH INFORMATION SECURITY
  • INFORMATION in CoP has been defined as
  • The quality aspects apply to all forms of
    information data stored on computers (data,
    text, video, speech), transmitted across
    networks, printed out or written down on paper,
    and spoken in conversations

!
!
33
CoP 3 Security policy
  • Information security policy
  • Objective To provide management direction and
    support for information security.
  • Top management should set a clear direction and
    demonstrate their support for and commitment to
    information security through the issue of an
    information security policy across the
    organization.
  • Information security policy must be defined by
    top management
  • There must be an explicit owner of the policy,
    also responsible for periodical revisions and
    updates
  • Accessible to all persons involved
  • Attention for threats specific to the own business

34
CoP 4 Security organisation
  • Objective To manage information security within
    the organization.
  • A management framework should be established to
    initiate and control the implementation of
    information security within the organization.
  • Steering committee / coordination
  • Allocation of security responsibilities
  • Authorisation process for IT facilities
  • Specialist security advice
  • Cooperation between organisations
  • Indepence of reviews
  • Security of third party access
  • Revised CoP Text has been added to describe when
    third party access happens, what are the risks of
    third party access, what should be included in a
    third party contract and what should be covered
    by an outsourcing contract

35
CoP 5 Assets classification and control
  • Accountability for assets
  • Objective To maintain appropriate protection of
    organizational assets.
  • All major information assets should be accounted
    for and have a nominated owner.
  • Accountability for assets helps ensure that
    adequate security protection is maintained.
    Owners should be identified for major assets and
    assigned responsibility for the maintenance of
    appropriate security measures. Responsibility for
    implementing security measures may be delegated,
    though accountability should remain with the
    nominated owner of the asset.
  • Label
  • vital to busines
  • Top Secret data

RESOURCE
owner
classifi- cation
36
CoP 5 Assets classification and control ...
  • Inventory of assets
  • Each asset must have an owner
  • Classification guidelines
  • Classification labels
  • Revised CoP Text on the valuation and importance
    of assets has been added, and the concept of
    information classification has been broadened to
    cover the general aspect of information
    labelling, including integrity and availability
    labels

37
CoP 6 Personnel security
  • Security in job definition and resourcing
  • Objective To reduce the risks of human error,
    theft, fraud or misuse of facilities.
  • Security should be addressed at the recruitment
    stage, included in job descriptions and
    contracts, and monitored during an individual's
    employment.
  • Managers should ensure that job descriptions
    address all relevant security responsibilities.
    Potential recruits should be adequately screened,
    especially for sensitive jobs. All employees and
    third party users of IT facilities should sign a
    confidentiality (non-disclosure) undertaking.

38
CoP 6 Personnel security ...
  • Security in job descriptions
  • Recruitment screening
  • Confidentiality agreement
  • User education and training
  • Responding to incidents
  • reporting of security incidents
  • reporting of security weaknesses
  • reporting of software malfunctions
  • disciplinary process
  • Revised CoP Text has been added to cover terms
    and conditions of employment, the need for the
    employee to abide by the same rules and
    principles as the rest of the organisation, and
    more details on personnel screening and policy.
    The fact that security incidents should be used
    in awareness and training, and that lesson should
    be learnt from them was emphasised

39
CoP 7 Physical and environmental security
  • Secure areas
  • Objective To prevent unauthorized access, damage
    and interference to IT services.
  • IT facilities supporting critical or sensitive
    business activities should be housed in secure
    areas.
  • Such facilities should also be physically
    protected from unauthorized access, damage and
    interference. They should be sited in secure
    areas, protected by a defined security perimeter,
    with appropriate entry controls and security
    barriers. A clear desk policy is recommended to
    reduce the risk of unauthorized access or damage
    to papers and media.

40
CoP 7 Physical and environmental security ...
  • Physical security perimeter
  • buildings and/or campus
  • physical barriers and procedures
  • badges, card keys
  • registration andsupervision of visitors
  • Physical entry controls
  • data centers, computer rooms
  • clear desk policy
  • Equipment security
  • due care Revised CoP Minor additions on
    intruder alarms, fire alarms, visitor
    instructions, and security furniture. Security
    issues arising from equipment used off-site and
    home working have also been considered

Non-IBM Space
IBM Public Space
IBM Internal Space
Controlled Access (1) Area
Office room, locked when unattended
Controlled Access (2) Area raised floor
Isolated Area
41
CoP 8 Computer and network management
  • Operational procedures and responsibilities
  • Objective To ensure the correct and secure
    operation of computer and network facilities.
  • Responsibilities and procedures for the
    management and operation of all computers and
    networks should be established.
  • This should be supported by appropriate operating
    instructions and incident response procedures.
    The principle of segregation of duties should be
    applied, where appropriate, to reduce the risk of
    negligent or deliberate system misuse.

42
CoP 8 Computer and network management ...
  • Documented operating, development and control
  • Capacity planning, acceptance
  • Contingency
  • Change management
  • Virus controle
  • Backups, operator logs, airco
  • Network security
  • Protection of removable media

43
CoP 8 Computer and network management ...
  • Revised CoP
  • This chapter has been renamed Communications and
    Operations Management and extended to cover a
    wide interpretation of information processing
  • Text has been added on computers, networks,
    mobile computing and communications, voice mail
    and communications, messaging, multimedia, postal
    services, fax machines, and any other existing or
    developing technology for the processing and
    communication of information
  • The discussion on viruses has been broadened to
    any unauthorised or malicious software
  • The section on data and software exchange has
    been extended to cover electronic commerce and
    messaging, and a new subsection on publicly
    available systems was added

44
CoP 9 System access control
  • Business requirement for system access
  • Objective To control access to business
    information.
  • Access to computer services and data should be
    controlled on the basis of business requirements.
  • This should take account of policies for
    information dissemination and entitlement.
  • User registration
  • User password management
  • Access control for work stations, network,
    services and applications
  • Monitoring system access and use

45
CoP 9 System access control ...
  • Revised CoP
  • This chapter has been renamed Access Control
    and generally edited to cover the extension from
    IT to information
  • The amount of detail, especially within the
    subsections on passwords, has been reduced to
    achieve a consistent level of detail throughout
    the document
  • It has been emphasised that passwords are not the
    only way of authentication and a new section of
    mobile computing and Tele-working has been added

46
CoP 10 Systems development and maintenance
  • Security requirements of systems
  • Objective To ensure that security is built into
    IT systems.
  • Security requirements should be identified and
    agreed prior to the development of IT systems.
  • Security countermeasures are substantially
    cheaper and more effective if incorporated in
    application systems at the requirements
    specification and design stages. All security
    requirements, including the need for fallback
    processing, should be identified at the
    requirements phase of a project and justified,
    agreed and documented as part of the overall
    business case for an information system.

47
CoP 10 Systems development and maintenance ...
  • Security requirements analysis and specification
  • Input data validation
  • Data encryption
  • Message authentication
  • Change management
  • Technical review of operating system changes
  • Revised CoP
  • New subsections on output validation, digital
    signatures, non-repudiation, key management,
    covert channels and Trojan code have been added
  • More emphasis has been put on the description of
    cryptographic techniques, and how they can be
    employed to achieve various ways of protection
  • Text on software integrity and evaluation has
    been added to the section on security
    requirements analysis and specification

48
CoP 11 Business continuity planning
  • Aspects of business continuity planning
  • Objective To have plans available to counteract
    interruptions to business activities.
  • Business continuity plans should be available to
    protect critical business processes from the
    effects of major failures or disasters.
  • There should be a process to develop and maintain
    appropriate plans for the speedy restoration of
    critical business processes and services in the
    event of serious business interruptions.
  • Business continuity planning should include
    measures to identify and reduce risks, limit the
    consequences should a threat be realized, and
    ensure speedy resumption of essential operations.
  • Revised CoP This chapter has been renamed
    Business Continuity Management and has been
    restructured and extended to put more emphasis on
    the business continuity management process. A
    business continuity and impact analysis must be
    the basis of any business continuity plan

49
CoP 12 Compliance
  • Compliance with legal requirements
  • Objective To avoid breaches of any statutory,
    criminal or civil obligations and of any security
    requirements.
  • The design, operation and use of IT systems may
    be subject to statutory and contractual security
    requirements.
  • All relevant statutory and contractual
    requirements should be explicitly defined and
    documented for each IT system. The specific
    controls, countermeasures and individual
    responsibilities to meet these requirements
    should be similarly defined and documented.
  • Advice on specific legal requirements should be
    sought from the organization's legal advisers.
    Legislative requirements vary from country to
    country.

50
CoP 12 Compliance
  • Compliance with legal and contractual
    requirements
  • illegal copies
  • confidential data
  • privacy laws
  • computer crime and abuse act
  • Compliance with security policy
  • Technical compliance checking
  • Revised CoP
  • The text has been reworded to make it more
    international in nature, and so all (UK/NL)
    specific references have been removed
  • The text on control of proprietary software
    copying and safeguarding of organisational
    records has been extended, and a new subsection
    of collection of evidence was added

51
Agenda
  • 101 on Information Security
  • Introduction to the Code of Practice for
    Information Security Management
  • The certification process - overview
  • The Statement of applicability
  • Documentation assessment
  • Implementation assessment

52
CERTIFICATION AGAINST CoP
  • Creates a goal and offers an additional
    management tool
  • Methods techniques


53
Why evaluation and certification against CoP ?
  • Overall benefit for organisations
  • strengthening the confidence between trading
    partners
  • better protection of customer and other external
    interests
  • CoP (BS7799) is an international accepted
    security standard
  • CoP is fit for Small Medium Enterprises (SME)
    and Multi Nationals (MN)
  • CoP should be tailored to the customers needs
  • Key players adopt CoP as their security standard

54
Evaluation approach to certify
  • Application for certification against CoP
  • Trial assessment
  • Review of documentation
  • Implementation assessment
  • Decision to certify
  • Issue the certificate
  • The period of the certification agreement is
    three years
  • Each year surveillance audits

55
Security evaluation and certification
  • Prepare yourself
  • Step 1
  • confirm review scope
  • review controls selection process
  • determine internal review strategy
  • Step 2
  • organise self assessments or
  • organise internal / third party audits
  • use standard questionnaires and toolkit
  • analyse results
  • define improvementplan (security yearplan)
  • Step 3
  • agree corrective action
  • prepare compliance statement
  • management approval and sign off
  • Step 4 apply for certification

56
Implication of the certificate
  • The certificate implies that
  • a management framework for information security
    is in place
  • there are no critical non-conformities against
    the code of practice
  • there can exists some non-critical
    non-conformities
  • The certificate does not imply that
  • no weaknesses exist at all
  • there cannot raise any shortcomings on the
    information security ever

57
Certification process
  • The certification process will show necessary
    improvement actions, but no surprises should
    emerge
  • The certification process is a pro-active
    approach
  • The certification process depends on input local
    management
  • Clear communication of what it is needed
  • its positive
  • no surprises
  • looking ahead
  • stimulance

58
Remarks on certification
  • Accreditation and certification is a not an one
    time action, but an ongoing process
  • This process has to be implemented into the
    management framework
  • Accreditation and certification can help an
    organisation to grow to a mature level of
    information security
  • A certificate is not an assurance that everything
    is all right always and everywhere and that
    nothing will go wrong ever.
  • Overall benefit
  • strengthening the confidence between trading
    partners
  • better protection of customer and other external
    interests

59
The Scheme
CoP(BS7799)
Internalaudits
Statement ofcompliance
Your Securityplan
  • Criteria
  • Processes
  • Audit results
  • Management framework

Certificatestatement ofapplicability
Implementedplan
CertificationAudit
60
What do you do anyway
Define your security plan
Demand compliance / implement plan
Internal audit to check compliance
Responsibility The organisation
Statement ofcompliance
61
Additional for certification
Define your security plan
Certification audit
Demand compliance / implement plan
Internal audit to check compliance
Certificate
62
Certification Audit
Dont lie to an auditor
63
Conclusion on Certification
  • Benefits
  • Get your house in order
  • Strengthen trust between business partners
  • Limitations
  • Scope and depth
  • Process oriented
  • And of course
  • Improves information security permanently!
  • Better protection of our clients and third party
    interest

64
Conclusion of today
  • Information Security
  • Code of Practice for Information Security
    Management
  • ITIL Security Management
  • Audits and Benchmarking
  • Agreements with partners (SLAs)
  • Certification
  • What is in it for you
  • And for your organisation

65
Questions
?
Write a Comment
User Comments (0)
About PowerShow.com