1 / 39

Information Security Governance and Standards

Information Security Governance and Standards. Prof. Chandan Mazumdar Coordinator, Centre for Distributed Computing, Department of Computer Science & Engineering, Jadavpur University, Kolkata – 700 032 E-mail: chandanm@cse.jdvu.ac.in. Corporate Governance.

chick
Download Presentation

Information Security Governance and Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security GovernanceandStandards Prof. Chandan Mazumdar Coordinator, Centre for Distributed Computing, Department of Computer Science & Engineering, Jadavpur University, Kolkata – 700 032 E-mail: chandanm@cse.jdvu.ac.in

  2. Corporate Governance • Corporate Governance is the set of processes, customs, policies, laws and institutions affecting the way a corporation is directed, administered or controlled. It is used to monitor whether outcomes are in accordance with plans. • Major activities • Direct, plan or establish responsibilities • Control outcomes, or ensure implementation, or ensure compliance • Risk Management is one of the key responsibilities

  3. The Players • Strategic Level • Board of Directors & Executive Management • Tactical Level • Senior & Middle Management • Operational Level • Lower Management & Administration • Directives flow from the top • Execution is done at the lowest level • Middle level is responsible for the control and feedback

  4. Components of Corporate Governance • Financial Governance • HR Governance • IT Governance • …

  5. IT Governance • IT Governance consists of the leadership, organizational structures and processes that ensure that the organization’s IT posture sustains and extends the organization’s strategies and objectives • Board should generate such directives as to ensure that the strategic objectives of the business are not jeopardized by IT failures and/or compromise of the IT assets.

  6. Compnents and Standards • Components • Performance and capacity governance • Information Security Governance • Standard • COBIT (Control Objectives for Information and Related Technologies) from ISACA (Information Systems Audit and Control Association)

  7. Information Security • To ensure the protection of the following properties of information assets: • Confidentiality • Integrity • Availability • Authenticity • Non-repudiation

  8. Dimensions of Information Security • Governance • Organization • Management • Policy • Best Practices • Ethical • Certification • Legal • Insurance • HR • Awareness • Technical • Measurement / Metrics • Audit • Forensics

  9. Information Security Governance (ISG) • The Management commitment and leadership, organizational structures, user awareness and commitment, policies, procedures, processes, technologies and compliance enforcement mechanisms all working together to assure that information security is maintained at all times. • ISG • Is an integral part of Corporate Governance • Should ensure cost-effectiveness • Should be risk based • Should ensure that all security appliances are in place • BoD should exercise due diligence and due care in ensuring that a IS strategy exists and that management implements it

  10. Positioning ISG Corporate Governance IT Governance ISG

  11. ISG Model – Management Levels • Strategic Level • Decides “WHAT” must be done • Tactical Level • Decides “HOW” it must be done • Operational Level • Things are actually done according to set procedures, guidelines and standards

  12. ISG Model – Actions • Direct • What must be done should be very clearly specified through a series of directives reflecting the BoD’s expectation • Control • Directives are expanded into a set of policies, standards, guidelines and procedures, reflecting the expectation of the Middle Management of how they want IT assets to be protected. Compliance to the directives is measured, monitored and reported. • Execute • The above inputs are expanded into sets of Administrative Guidelines and Administrative Procedures. Necessary technical measures to implement the directives from middle management are physically implemented and managed.

  13. ISG Model – Control • Operational Level • Measurement data is extracted from a wide range of entities, like log files of OS, DB, firewalls, IDSs and many other forms of utility and specialized software sources • Tactical Level • The operational measurement data is compiled and integrated to perform measurement and monitoring against the relevant policies and standards. These measurements are used to control the operational level. Also, these data are aggregates or abstracted to indicate the levels of compliance and conformance to the Board Directives. • Strategic Level • Reports reflecting compliance and conformance to relevant directives are tendered and Risk situation is elicited

  14. Information Security Policy Architecture Board Directive Corporate Information Security Policy Issue Specific Policy 1 Issue Specific Policy 2 Issue Specific Policy 3 Procedure 1.2 Procedure 1.1

  15. Corporate Information Security Policy (CISP) • Must indicate the Board’s Support and Commitment • Accepted and signed by the CEO • Should be “Crisp” document • Should be a “Stable” document • Must be “Technology Neutral” • Must indicate the “owner” and other responsible roles • Must indicate the “Scope” • Must refer to the disciplinary actions in case of violations of CISP and its sub-policies • Must be widely disseminated • Must have a compliance clause

  16. Representative Set of Issue Specific Policies • Acceptable Usage Policy • Email Policy • Anti-virus Policy • Backup Policy • Information Security Incident Policy • Network Security Policy • Access Control Policy • Physical and Environmental Security Policy • Third Party Access Policy • Remote Access Policy • Data Classification Policy • Information Security Awareness Policy

  17. Compliance Management • Include compliance clause with each policy • Each compliance should include • Compliance checking cycle • Nature of Report to be provided • How the data for reporting has to be captured • You can not manage what you can not measure

  18. Compliance Management Approach • Which IT Security Risks are to be monitored? • Which data are needed to monitor the status of these Risks? • In what way the results are to be reported to the Executive Management / BoD so that they can understand the situation? • The database for compliance management may be populated manually or automatically.

  19. Risk Management High Probability Contain & Control Prevent Low Impact High Impact Insurance & Back-up Plan Ignore Low Probability

  20. Risk Management Approach • Risk Assessment • Risk Analysis: Process to identify all major risks • Risk Evaluation: Process to evaluate every major risk and to allocate some value or size to the risk • Risk treatment • Process to identify and implement suitable controls to mitigate the risk to an acceptable level

  21. Management involvement • Strategic Level • Indicates which major information-related risks bother management • Tactical Level • Does Event/Impact Analysis to identify possible risks based on questionnaires • Operational Level • Does the formal risk assessment and evaluation

  22. ISG Organization • Operational Management • Implement Information Security Management System by creating Policies & Procedures, organizing Awareness Programs, implementing safeguards and controls enforce the CISP • Compliance Management • Receives data from IT Dept., Audit Dept., Users, and other Depts., compiles and aggregates the data, finds out the compliance and conformance status and reports to the BoD for proper governance

  23. Use of Standards in ISG • COBIT is a good best practices guideline for IT Governance • ISO 27002 is a good best practices guideline for Information Security Management System

  24. COBIT Structure • Domains • Domains are Groups of Processes • Follow the Responsibility Domains and Management Lifecycle • Processes • Processes are sequences of Activities / Tasks • Activities / Task • Activities and Tasks are needed to achieve a measurable result • Activities have life-cycle concept, tasks are more discrete

  25. COBIT Domains • Planning and Organization • Acquisition and Implementation • Delivery and Support • Monitoring

  26. Planning and Organization

  27. Acquisition and Implementation

  28. Delivery and Support

  29. Monitor and Evaluate

  30. Control Objectives of DS5

  31. Control Objectives of DS5 (contd.)

  32. Use of COBIT in ISG Compliance • 62 out of 318 Control Objectives have direct impact on Information Security • These can be used to implement the monitoring and compliance checking

  33. ISO 27002 Structure • Provides a well proven framework to implement security within an organization • It offers a business-led approach to best practice for information security management in the organization • Information security is characterized within BS 7799 by preservation of • Confidentiality • Integrity • Availability

  34. ISO 27002: Security Domains, Objectives and Controls • It consist of • 11 Causes • 39 Security Categories • 134 Controls

  35. ISO 17799: SECURITY DOMAINS

  36. Conclusion • Information Security Governance is part of Corporate Governance • ISG encompasses ISMS and Compliance Management • COBIT and ISO 27002 can be used to implement ISG

  37. References • Solms and Solms, Information Security Governance, Springer 2009 • COBIT 4.1 • ISO 27002

  38. THANK YOU

More Related