Information Systems Security Review (ISR) 2003

Information Systems Security Review (ISR)A Brief Overview

Maze & Associates

Instructor:Donald E. HesterCISSP, MCSE, Security+, CTT+

Everyone has a job in Security

There is a misconception that security is a job for the Experts or the security professionals.

Everyone plays an important role in security Security should be a part of everyone’s job

description History comes from accountants and military

– Auditors

– Network Admins

– Business Managers

Part 1: Objectives of IS Security

The Confidentiality of Data The Integrity of Data The Availability of Data

C.I.A.

Basic Security Triad As more and more informationbecomes available electronically, IS security will become more and more important.

Business Need for Security

Each business model requires emphasis on different security objectives.

A national defense system will place the greatest emphasis on confidentiality.

A bank has a greater need for integrity. An emergency medical system will

emphasize availability.

Part 2: Areas of Security

Part 3: ISR Sources

Legal and Regulatory Sources NIST - National Institute of Standards and

Technology ISO - International Standards Organization RFCs – Request for Comments Industry Standards Yellow Book SAS 94

Part 4: ISR Scope Limited Scope

– Not a full risk assessment– Review not an Audit– Based on information provided by client

Benefits include– Gaining better understanding of FS environment– Raise awareness about controls– Highlight managements responsibilities– Uncover major risks to Financial data– Raise awareness about regulatory requirements– Helped clients improve security – Dispel client myth that everything is public knowledge

Part 5: Parts of ISR

Sec 1: Statistics Sec 2: Disaster Plans Sec 3A: Security Management Sec 3B: Physical Security Sec 3C: Personnel Security Sec 3D: Application Security Sec 3E: Network Security Sec 4: Open Questions

Review ISR

Review Sections of ISR Review Internal Memo Questions