1.05k likes | 1.81k Views
Information Security Governance and Standards. Prof. Chandan Mazumdar Coordinator, Centre for Distributed Computing, Department of Computer Science & Engineering, Jadavpur University, Kolkata – 700 032 E-mail: chandanm@cse.jdvu.ac.in. Corporate Governance.
E N D
Information Security GovernanceandStandards Prof. Chandan Mazumdar Coordinator, Centre for Distributed Computing, Department of Computer Science & Engineering, Jadavpur University, Kolkata – 700 032 E-mail: chandanm@cse.jdvu.ac.in
Corporate Governance • Corporate Governance is the set of processes, customs, policies, laws and institutions affecting the way a corporation is directed, administered or controlled. It is used to monitor whether outcomes are in accordance with plans. • Major activities • Direct, plan or establish responsibilities • Control outcomes, or ensure implementation, or ensure compliance • Risk Management is one of the key responsibilities
The Players • Strategic Level • Board of Directors & Executive Management • Tactical Level • Senior & Middle Management • Operational Level • Lower Management & Administration • Directives flow from the top • Execution is done at the lowest level • Middle level is responsible for the control and feedback
Components of Corporate Governance • Financial Governance • HR Governance • IT Governance • …
IT Governance • IT Governance consists of the leadership, organizational structures and processes that ensure that the organization’s IT posture sustains and extends the organization’s strategies and objectives • Board should generate such directives as to ensure that the strategic objectives of the business are not jeopardized by IT failures and/or compromise of the IT assets.
Compnents and Standards • Components • Performance and capacity governance • Information Security Governance • Standard • COBIT (Control Objectives for Information and Related Technologies) from ISACA (Information Systems Audit and Control Association)
Information Security • To ensure the protection of the following properties of information assets: • Confidentiality • Integrity • Availability • Authenticity • Non-repudiation
Dimensions of Information Security • Governance • Organization • Management • Policy • Best Practices • Ethical • Certification • Legal • Insurance • HR • Awareness • Technical • Measurement / Metrics • Audit • Forensics
Information Security Governance (ISG) • The Management commitment and leadership, organizational structures, user awareness and commitment, policies, procedures, processes, technologies and compliance enforcement mechanisms all working together to assure that information security is maintained at all times. • ISG • Is an integral part of Corporate Governance • Should ensure cost-effectiveness • Should be risk based • Should ensure that all security appliances are in place • BoD should exercise due diligence and due care in ensuring that a IS strategy exists and that management implements it
Positioning ISG Corporate Governance IT Governance ISG
ISG Model – Management Levels • Strategic Level • Decides “WHAT” must be done • Tactical Level • Decides “HOW” it must be done • Operational Level • Things are actually done according to set procedures, guidelines and standards
ISG Model – Actions • Direct • What must be done should be very clearly specified through a series of directives reflecting the BoD’s expectation • Control • Directives are expanded into a set of policies, standards, guidelines and procedures, reflecting the expectation of the Middle Management of how they want IT assets to be protected. Compliance to the directives is measured, monitored and reported. • Execute • The above inputs are expanded into sets of Administrative Guidelines and Administrative Procedures. Necessary technical measures to implement the directives from middle management are physically implemented and managed.
ISG Model – Control • Operational Level • Measurement data is extracted from a wide range of entities, like log files of OS, DB, firewalls, IDSs and many other forms of utility and specialized software sources • Tactical Level • The operational measurement data is compiled and integrated to perform measurement and monitoring against the relevant policies and standards. These measurements are used to control the operational level. Also, these data are aggregates or abstracted to indicate the levels of compliance and conformance to the Board Directives. • Strategic Level • Reports reflecting compliance and conformance to relevant directives are tendered and Risk situation is elicited
Information Security Policy Architecture Board Directive Corporate Information Security Policy Issue Specific Policy 1 Issue Specific Policy 2 Issue Specific Policy 3 Procedure 1.2 Procedure 1.1
Corporate Information Security Policy (CISP) • Must indicate the Board’s Support and Commitment • Accepted and signed by the CEO • Should be “Crisp” document • Should be a “Stable” document • Must be “Technology Neutral” • Must indicate the “owner” and other responsible roles • Must indicate the “Scope” • Must refer to the disciplinary actions in case of violations of CISP and its sub-policies • Must be widely disseminated • Must have a compliance clause
Representative Set of Issue Specific Policies • Acceptable Usage Policy • Email Policy • Anti-virus Policy • Backup Policy • Information Security Incident Policy • Network Security Policy • Access Control Policy • Physical and Environmental Security Policy • Third Party Access Policy • Remote Access Policy • Data Classification Policy • Information Security Awareness Policy
Compliance Management • Include compliance clause with each policy • Each compliance should include • Compliance checking cycle • Nature of Report to be provided • How the data for reporting has to be captured • You can not manage what you can not measure
Compliance Management Approach • Which IT Security Risks are to be monitored? • Which data are needed to monitor the status of these Risks? • In what way the results are to be reported to the Executive Management / BoD so that they can understand the situation? • The database for compliance management may be populated manually or automatically.
Risk Management High Probability Contain & Control Prevent Low Impact High Impact Insurance & Back-up Plan Ignore Low Probability
Risk Management Approach • Risk Assessment • Risk Analysis: Process to identify all major risks • Risk Evaluation: Process to evaluate every major risk and to allocate some value or size to the risk • Risk treatment • Process to identify and implement suitable controls to mitigate the risk to an acceptable level
Management involvement • Strategic Level • Indicates which major information-related risks bother management • Tactical Level • Does Event/Impact Analysis to identify possible risks based on questionnaires • Operational Level • Does the formal risk assessment and evaluation
ISG Organization • Operational Management • Implement Information Security Management System by creating Policies & Procedures, organizing Awareness Programs, implementing safeguards and controls enforce the CISP • Compliance Management • Receives data from IT Dept., Audit Dept., Users, and other Depts., compiles and aggregates the data, finds out the compliance and conformance status and reports to the BoD for proper governance
Use of Standards in ISG • COBIT is a good best practices guideline for IT Governance • ISO 27002 is a good best practices guideline for Information Security Management System
COBIT Structure • Domains • Domains are Groups of Processes • Follow the Responsibility Domains and Management Lifecycle • Processes • Processes are sequences of Activities / Tasks • Activities / Task • Activities and Tasks are needed to achieve a measurable result • Activities have life-cycle concept, tasks are more discrete
COBIT Domains • Planning and Organization • Acquisition and Implementation • Delivery and Support • Monitoring
Use of COBIT in ISG Compliance • 62 out of 318 Control Objectives have direct impact on Information Security • These can be used to implement the monitoring and compliance checking
ISO 27002 Structure • Provides a well proven framework to implement security within an organization • It offers a business-led approach to best practice for information security management in the organization • Information security is characterized within BS 7799 by preservation of • Confidentiality • Integrity • Availability
ISO 27002: Security Domains, Objectives and Controls • It consist of • 11 Causes • 39 Security Categories • 134 Controls
Conclusion • Information Security Governance is part of Corporate Governance • ISG encompasses ISMS and Compliance Management • COBIT and ISO 27002 can be used to implement ISG
References • Solms and Solms, Information Security Governance, Springer 2009 • COBIT 4.1 • ISO 27002