300 likes | 319 Views
Computer Security Management. Session 1 How IT Affects Risks and Assurance. David Chan. David.c.chan@ontario.ca. What We Will Cover. Nature, types and use of information System assurance criteria System assurance responsibilities System components Types of systems.
E N D
Computer Security Management Session 1 How IT Affects Risks and Assurance EECS 4482 2017 David C. Chan
David Chan David.c.chan@ontario.ca EECS 4482 2017 David C. Chan
What We Will Cover • Nature, types and use of information • System assurance criteria • System assurance responsibilities • System components • Types of systems EECS 4482 2017 David C. Chan
Information Ownership and Classification • Each information system and the information should be assigned to a senior manager to own • Owner accountable for information reliability including classifying information based on risk and affording the respective protection EECS 4482 2017 David C. Chan
Information Assurance • “Information assurance is the bedrock upon which enterprise decision-making is built. Without assurance, enterprises cannot feel certain that the information upon which they base their mission-critical decisions is reliable, confidential, secure and available when needed.” - Information Systems Audit and Control Association (ISACA) EECS 4482 2017 David C. Chan
System Assurance Criteria • Completeness • Authorization • Accuracy • Timeliness • Occurrence EECS 4482 2017 David C. Chan
Completeness • All transactions are recorded. • Financial information and reports are complete. • Customer statements are complete. • Management information is complete. • Statutory reports are complete. • Applies to input, processing and output. EECS 4482 2017 David C. Chan
Authorization • Only authorized transactions are processed. • Reports are produced only for authorized users. • Proper authorization for access to information to ensure integrity and confidentiality. EECS 4482 2017 David C. Chan
Accuracy • Transactions are recorded accurately. • Reports are accurate. • Information in storage is maintained and checked regularly to ensure accuracy. EECS 4482 2017 David C. Chan
Timeliness • Transactions are recorded on a timely basis. • Reports are current. • Information in storage is regularly checked for currency. EECS 4482 2017 David C. Chan
Occurrence • Only real transactions are recorded. • Accounting balances reflect real assets, liabilities and equity. • Underlying assumptions can realistically occur, e.g., valuation. EECS 4482 2017 David C. Chan
Components of System • Infrastructure • Software • People • Procedures • Information EECS 4482 2017 David C. Chan
IT Infrastructure • Network • Hardware • Real estate EECS 4482 2017 David C. Chan
Software • System software e.g., operating system, database management system. • Application software. EECS 4482 2017 David C. Chan
People • Management • Systems developers (analysts and programmers) • Systems administrators who control servers and workstations. • Systems operations staff. • Users EECS 4482 2017 David C. Chan
IT Organization • Chief Information Officer • Systems development and maintenance • System operations • Quality assurance – may be part of systems development in a small organization • Security- may be part of operation in a small organization. EECS 4482 2017 David C. Chan
Information System Roles and Responsibilities • Chief information officer (CIO) – Oversees all uses of IT and ensures the strategic alignment of IT with business goals and objectives • Chief knowledge officer (CKO) - Responsible for collecting, maintaining, and distributing the organization’s knowledge • Chief privacy officer (CPO) – Responsible for ensuring the ethical and legal use of information EECS 4482 2017 David C. Chan
Information Systems Roles and Responsibilities Learning Outcomes 1-2 • Chief security officer (CSO) – Responsible for ensuring the safety of IT resources including data, hardware, software, and people • Chief technology officer (CTO) – Responsible for ensuring the throughput, speed, accuracy, availability, and reliability of IT EECS 4482 2017 David C. Chan
Information Security Functions • Risk assessment (Session 2) • Policies and procedures development (Session 3) • Security education (Session 9) • Security design (session 6) • Authentication and authorization assurance (Sessions 9 and 10) EECS 4482 2017 David C. Chan
Info Sec Functions • Compliance monitoring (Session 9) • Intrusion prevention and detection (Session 9) • Vulnerability management (Session 9) • Disaster recovery (Session 3) • Forensic (Session 8) EECS 4482 2017 David C. Chan
Management Responsibilities • Management includes executives and managers in business functions and corporate functions (like chief financial officer). • Define information requirement • Assess significance of information • Take ownership of business and functional systems like enterprise resource planning system. EECS 4482 2017 David C. Chan
Management Responsibilities • Design and implement internal controls (using staff who are control experts). • Review system information for reliability. • Define system reliability criteria in relation to business requirements. • Provide information assurance to senior executives. EECS 4482 2017 David C. Chan
User Responsibilities • Control information under their custody in accordance with corporate policy and procedures. • Inform management of irregularities and exceptions. • Use information systems only for corporate purposes. EECS 4482 2017 David C. Chan
Procedures • System operations procedures • User procedures EECS 4482 2017 David C. Chan
Information Ownership and Classification • Each information system and the information should be assigned to a senior manager to own • Owner accountable for information reliability including classifying information based on risk and affording the respective protection EECS 4482 2017 David C. Chan
Management Checklist • Assign business executives to own information systems and infrastructure. • Establish corporate policies and standards for information risk assessment. • Establish a process for periodic risk assessment, internal control formulation and internal control reporting to senior management and the board of directors. EECS 4482 2017 David C. Chan
Management Checklist • Involve the board of directors in IT governance and ensure this is addressed at least twice a year in board meetings. • Establish a policy on the use of I & IT in the organization with respect to how to use IT as a business enabler and the approval process for IT investment. EECS 4482 2017 David C. Chan
Management Checklist • Develop an IT strategy to be congruent with the business strategy. The IT strategy should consider the applicability of new technology. • Develop a process to continuously assess the cost effectiveness of IT applications. • Ensure that the job description and performance contract of each executive includes the appropriate I & IT assurance accountability. EECS 4482 2017 David C. Chan
Management Checklist • Establish an IT steering committee consisting of a cross section of senior executives including the CIO to carry out IT governance. EECS 4482 2017 David C. Chan