Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
IT Governance
Information Security
Governance
Acknowledgments
Material is sourced from:
CISA Review Manual 2011, 2010, ISACA. All rights reserved.
Used by permission.
CISM Review Manual 2012, 2011, ISACA. All rights reserved.
Used by permission.
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Reviewers/Contributors: Todd Burri, Kahili Cheng
Funded by National Science Foundation (NSF) Course, Curriculum and
Laboratory Improvement (CCLI) grant 0837574: Information
Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the author(s) and/or
source(s) and do not necessarily reflect the views of the National
Science Foundation.
Objectives
Students should be able to:
Describe IT governance committees: IT strategic committee, IT steering
committee, security steering committee**
Describe mission, strategic plan, tactical plan, operational plan
Define quality terms: quality assurance, quality control
Describe security organization members: CISO, CIO, CSO, Board of
Directors, Executive Management, Security Architect, Security Administrator
Define policy, compliance, IT Balanced Scorecard, measure, ISO 9001,
enterprise architecture
Define sourcing practices: insource, outsource, hybrid, onsite, offshore
Define policy documents: data classification, acceptable usage policy, access
control polices
Corporate Governance
Corporate Governance: Leadership by
corporate directors in creating and presenting
value for all stakeholders
IT Governance: Ensure the alignment of IT with
enterprise objectives
Responsibility of the board of directors and
executive mgmt
IT Governance Objectives
Processes include:
Equip IS functionality and address risk
Measure performance of delivering value to the
business
Comply with legal and regulatory requirements
IT Governance Committees
Board members
& specialists
IT Strategic Committee
Focuses on Direction and Strategy
Advises board on IT strategy and alignment
Optimization of IT costs and risk
Business executives
(IT users), CIO, key
advisors (IT, legal, audit,
finance)
IT Steering Committee
Focuses on Implementation
Monitors current projects
Decides IT spending
IT Strategy Committee
Main Concerns
IT Steering Committee
Main Concerns
Strategic
Tactical
Operational
Strategic
Tactical
Operational
Strategic Planning
Strategy:
Achieve COBIT Level 4
Tactical: During next 12 months:
Each business unit must identify current applications in
use
25% of all stored data must be reviewed to identify critical
resources
Business units must achieve regulatory compliance
A comprehensive risk assessment must be performed for
each business unit
All users must undergo general security training
Standards must exist for all policies
Mission
Strategies
Measures
IT Balanced Scorecard
Financial Goals
How should we appear to
stockholder?
Vision:
Metrics:
Performance:
Customer Goals
How should we appear to our
customer?
Vision:
Metrics:
Performance:
Time
frame
Incorporate the
business
Pass a
professional
audit
5 yrs
4 yrs
Tactical Plan:
Objective
Time
frame
Perform strategic- 1 yr
level security,
includes:
Perform risk
analysis
6
mos.
Perform BIA
1 yr
Define policies
1 yr
Operational Planning
Objective and Timeframe
Hire an internal auditor and
security professional
2 months: March 1
Responsibility
VP Finance
VP Finance &
Chief Info.
Officer (CIO)
CIO &
Security Team
Enterprise Architecture
Functional Network
(Applic.)
Scope
Enterprise Model
Systems Model
Tech Model
Detailed
Representation
(Tech)
People
(Org.)
Process
(Flow)
Strategy
Sourcing Practices
Insourced: Performed entirely by the organizations staff
Outsourced: Performed entirely by a vendors staff
Hybrid: Partial insourced and outsourced
Onsite: Performed at IS dept site
Offsite or Nearshore: Performed in same geographical area
Offshore: Performed in a different geographical region
What advantages can you think of for insourcing versus
outsourcing?
Quality Definitions
Quality Assurance: Ensures that staff are
following defined quality processes: e.g.,
following standards in design, coding,
testing, configuration management
Quality Control: Conducts tests to validate
that software is free from defects and
meets user expectations
Performance Optimization
Phases of Performance Measurement include:
Establish and update performance metrics
Establish accountability for performance
measures
Gather and analyze performance data
Report and use performance results
Note: Strategic direction for how to achieve
performance improvements is necessary
Categories of Performance
Measures
Performance Measurement: What are
indicators of good IT performance?
IT Control Profile: How can we measure the
effectiveness of our controls?
Risk Awareness: What are the risks of not
achieving our objectives?
Benchmarking: How do we perform relative to
others and standards?
End-user complaints
Excessive costs or budget overruns
Late projects
Poor motivation - high staff turnover
High volume of H/W or S/W defects
Inexperienced staff lack of training
Unsupported or unauthorized H/W S/W purchases
Numerous aborted or suspended development projects
Reliance on one or two key personnel
Poor computer response time
Extensive exception reports, many not tracked to completion
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
Which of the following is not a valid purpose of the IS
Audit?
1. Ensure IS strategic plan matches the intent of the
enterprise strategic plan
2. Ensure that IS has developed documented processes
for software acquisition and/or development
(depending on IS functions)
3. Verify that contracts followed a documented process
that ensures no conflicts of interest
4. Investigate program code for backdoors, logic bombs,
or Trojan horses
Question
Documentation that would not be viewed
by the IT Strategy Committee would be:
1. IT Project Plans
2. Risk Analysis & Business Impact Analysis
3. IT Balanced Scorecard
4. IT Policies
Information Security
Governance
Governance
Policy
Risk
Security Organization
Review Risk assessment & Business Impact Analysis
Define penalties for non-compliance of policies
Board of Directors
Defines security objectives and
institutes security organization
Executive Mgmt
Senior representatives
of business functions
ensures alignment
of security program
Security
with business
Steering
objectives
Committee
Other positions:
Chief Risk Officer (CRO)
Chief Compliance Officer (CCO)
Chief Info
Security
Officer (CISO)
Security Governance
Strategic Alignment: Security solution consistent with
organization goals and culture
Risk Management: Understand threats and cost-effectively
control risk
Value Delivery: Prioritized and delivered for greatest business
benefit
Performance Measurement: Metrics, independent assurance
Resource Management: Security architecture development &
documentation
Process Integration: Security is integrated into a wellfunctioning organization
Legal Issues
International trade,
employment may be
liable to different
regulations than exist in
the U.S. affecting:
Hiring
Internet business
Trans-border data flows
Cryptography
Copyright, patents, trade
secrets
Security
Policies
Training
materials
Interview stakeholders
(HR, legal, finance) to
determine org. issues
& concerns
Develop security
policies for approval
to Mgmt
Conduct security
training & test for
compliance
Improve standards
Develop compliance
monitoring strategy
Info Security
Steering Committee
Security Relationships
Security Strategy, Risk, & Alignment
Security
requirements
Access control
Security requirements
in RFP
Contract requirements
Security requirements
and review
Change control
Security upgrade/test
Hiring, training,
roles & responsibility,
Incident handling
Security requirements
sign-off,
Acceptance test,
Access authorization
Laws & Regulations
Security monitoring, Incident resp.,
Site inventory, Crisis management
Security
Organization
Security
Framework
Compliance
Monitoring
Policies,
Standards,
Procedures
Secure Strategy:
Risk Assessment
Five Steps include:
1. Assign Values to Assets:
2.
3.
5.
4.
Treat Risk
Compliance Function
Compliance: Ensures compliance with
organizational policies
E.g.: Listen to selected help desk calls to verify
proper authorization occurs when resetting
passwords
Best if compliance tests are automated
Compliance: ongoing process
Ensures adherence to policies
Time
Audit: Snapshot of compliance in time
Compliance Program
Security Review or Audit Test
Objective: Is our web-interface to DB safe?
Scope: Penetration test on DB
Constraints: Must test between 1-4 AM
Approach:
1. Tester has valid session credentials
2. Specific records allocated for test
3. Test: SQL Injection
Result:
These problems were found:
Security Positions
Security Architect
Design secure network
topologies, access
control, security policies
& standards.
Evaluate security
technologies
Work with compliance,
risk mgmt, audit
Security Administrator
Allocate access to data
under data owner
Prepare security awareness
program
Test security architecture
Monitor security violations
and take corrective action
Review and evaluate
security policy
Security Architect:
Control
Analysis
Do controls fail secure or fail open?
Is restrictive or permissive policy
(denied unless expressly permitted
or vice versa?)
Does control align with policy
& business expectation?
Policy
Control Practices
These may be useful in particular conditions:
Automate Controls: Make technically infeasible to bypass
Access Control: Users should be identified, authenticated and
authorized before accessing resources
Secure Failure: If compromise possible, stop processing
Compartmentalize to Minimize Damage: Access control required per
system resource set
Transparency: Communicate so that average layperson understands
control->understanding & support
Trust: Verify communicating partner through trusted 3rd party (e.g., PKI)
Trust No One: Oversight controls (e.g., CCTV)
Segregation of Duties: Require collusion to defraud the organization
Principle of Least Privilege: Minimize system privileges
Security Administrator:
Security Operations
Identity Mgmt & Access control
System patching & configuration mgmt
Change control & release mgmt
Security metrics collection & reporting
Control technology maintenance
Incident response, investigation, and
resolution
Question
Who can contribute the MOST to determining the
priorities and risk impacts to the organizations
information resources?
1. Chief Risk Officer
2. Business Process Owners
3. Security Manager
4. Auditor
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
When implementing a control, the PRIMARY
guide to implementation adheres to:
1. Organizational Policy
2. Security frameworks such as COBIT, NIST,
ISO/IEC
3. Prevention, Detection, Correction
4. A layered defense
Question
1.
2.
3.
4.
Reference
Slide #
Slide Title
Source of Information
Corporate Governance
IT Governance Committees
CISA: page 90
IT Strategy Committee
CISA: page 90
12
CISA: page 91
16
Enterprise Architecture
17
Sourcing Practices
18
19
Quality Definitions
20
Performance Optimization
21
32
Security Organization
33
Security Governance
39
40
43
Security Positions