Upload
katelyn-lowe
View
217
Download
3
Tags:
Embed Size (px)
Citation preview
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
Enforcing Business Rules and Information Security Policies through Compliance Audits
Frederick Yip, Pradeep Ray, Nandan Paramesh
School of Computer Science & EngineeringSchool of Information Systems & IT Management
University of New South WalesSydney, Australia
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
Outline
Background – What the industry are doing? Problem – What are the challenges? Motivation – How these challenges motivated the research? XISSF – Compliance Mechanism Limitations & Future Work – Holistic Framework Conclusion
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
Background
Ever-increasing pressure and responsibilities for organizations to fulfill the requirements enforced by different regulations
By actively assessing corporate security compliance base on renowned standards, guidelines and best practices, e.g. CobiT, ISO17799.
secure trust and recognitions from customers and business partners US$15.5 Billion in 2005 US$5.8 Billion for Sarbanes Oxley Alone in 2005 Estimated to exceed US$80 billion over the next 5 years on Compliance
Spending HIPAA affects organizations that maintain medical health information
New! European 8th Directive – SOX Equivalent in EU – Currently in Draft Mode
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
Standards
CobiT v3, CobiT v4 Control Objectives for Information and related Technology
ISO/IEC17799:2000, ISO/IEC17799:2005 Information technology - Security techniques - Code of practice for information
security management AS/NZ17799:2001
Information technology - Code of practice for information security management BSI
IT Baseline Protection Manual BS7799, ISO27001
Information Technology - Security Techniques - Information Security Management Systems – Requirement
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
The Problem Multi-regulation
3 out of 4 organizations must comply with 2 or more regulations 43% organizations must comply with 3 or more regulations
Too many standards – which one should you use? Regulations Organization Structure Jurisdiction Industry Auditor
Standards are different Some overlapping Changes from time to time (versions)
Manual Process – Time Consuming Co-ordination and co-operation from Business Units Subjective
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
Compliance Process
`RegionalIT Manager
`BranchIT Manager
`
Standard
Standard Standard
`SystemAdministrator
Checklist
CIO
Standard(Textual Information)
Legislation(Textual Informaion)
...Traditional Checklists
Legal & ComplianceExpert
Legislation(Textual Information)
StandardExpert(s)
Legislation and regulation are ambiguous to IT
The need for a common Infosec specification format that can be distributed to other Business Units
What about multiple information security standards?
The need for a uniform way of checking compliance to policies and best practices
The need for a uniform way to report audit and compliance results
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
eXtensible Information Security Specification Format (XISSF)
What is it? Common Infosec specification format and platform - not vendor or firm specific Based on XML Textual descriptions of the security clauses or safeguards within Infosec
standards are restructured and codified
XISSF is capable of: Encapsulating and segregating the clauses extracted from different textual
standards Heterogeneous format of clauses from multiple standards can be encapsulated in
a single XISSF document. Transportable between business units - across a global business. Express information security specification explicitly – decreases ambiguity. Uniform way of checking compliance to policies and best practices A machine interpretable format for computer-aided assessment on security
compliance.
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
XISSF Foundation for providing automated support for
compliance audits. Addresses the problem of heterogeneous
information security standards Agent can be designed to perform routine and
subjective tasks based on XISSF – mobile agents and multi-agents systems.
Tags Enclosed weighting metric for each checkpoint in the
clauses for audit and assessment purposes. Atomic actionable questions or statements identified as
checkpoints.
XISSF
GROUP
CLAUSE
GROUP
CHECKPOINT
OBJECTIVE
CHECKPOINT
CLAUSE
CHECKPOINT
OBJECTIVE
CHECKPOINTdescription, weight, requiredthreat type, constraints,pre-requisites, …
due, reminder, reference …
id, required, role …
title, pre-req…
description, weight, requiredthreat type, constraints,pre-requisites, …
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
Regulations/Standards/Clauses/Checkpoints
...
CobiTISO
17799ISF ITIL BSI...
HIPAASOX ... GovernmentRegulations
Regulations satisfied by
Infosec standards
Security clauses extracted from
standards
Checkpoints extracted from
clauses
ISO 17799:20059.2.2
CobiT v4DS4
...
Cobit v4 DS4.1
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
Sample Clause - ISO17799
5.1.1 Information security policy documentControlAn information security policy document should be approved by management, and published and communicated to all employees and relevant external parties.Implementation guidanceThe information security policy document should state management commitment and set out the organization’s approach to managing information security. The policy document should contain statements concerning:a) a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing (see introduction);b) a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives;c) a framework for setting control objectives and controls, including the structure of risk assessment and risk management;….
<?xml version="1.0" encoding="UTF-8"?><xissf xmlns="http://www.cse.unsw.edu.au/xissf" xmlns:xissf="http://oval.mitre.org/XMLSchema/xissf" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="0.2" xsi:schemaLocation="http://www.cse.unsw.edu.au/xissf xissf.xsd"><status date="2006-01-06">draft</status><title>XISSF Sample</title><description>XISSF - eXtensible Information Security Specification Format. This document defines a list of security specification policies that should be enforced on the organization. This can vary from technical policies to abstract business level processes.</description><group due=“000024052006” reminder=“000012052006”><reference><title>ISO17799</title><organization>International Standard Organization</organization><format>ISO17799:2005</format><version>2005</version><url>http://www.iso.org</url></reference><clause id="5.1.1" required="true" weight="1“ prereq=“6.1.5”><title>Information security policy document</title><objective>An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. </objective><checkpoint required="true" weight="1“ role=“IT Manager”><description> The information security policy document should state management commitment and set out the organization’s approach to managing information security. </description></checkpoint><checkpoint required="true" weight="1"><description>The policy document should contain statements concerning a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing.</description></checkpoint><checkpoint required="true" weight="1"><description>The policy document should contain statements concerning a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives; </description></checkpoint>
</clause>
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
Scenario
Public CompanyListed in United States
AustraliaBranch Office
GermanyBranch Office
US SubsidiaryHealth Services
Regulated by SOX & HIPPASatisfy by implementing
ISO17799 & CobiT
Regulated byHIPPAHIPAA
HIPAA
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
Limitation & Future Work
Preliminary in nature but essential for any future work Checkpoints currently in English – Human Intervention
Improve automation Ontology based Schema for each governance standard Application of Concept Learning/Extraction Methodologies
for IT Standards Assessment Strategy Based on XISSF Agent Based Compliance Management based on XISSF
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
The Big Picture
`RegionalIT Manager
`BranchIT Manager
`BranchIT Manager
Standard
Standard Standard
`SystemAdministrator
Checklist
Legal & ComplianceExpert
Legislation(Textual Information)
CIO
Standard(Textual Information)
Legislation(Textual Informaion)
...
XISSF
`IT Manager/System
Administrator
Legislation YLegislation X Legislation Z
Legal & ComplianceExpert
StandardExpert(s)
Standard A Standard B
InterfaceAgent
InterfaceAgent
`IT Manager/System
Administrator
StandardExpert(s)
Involvement
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
Conclusion
An approach and mechanism to express explicit information security requirements and compliance audits in a codified format.
Increase portability especially for global business Provided a foundation to enable computer assisted compliance auditing. Normalization of XISSF decreases redundant compliance tasks and identify
conflicts Reduce interaction time in compliance time, improve efficiency Better modularization to segregate compliance tasks Role-based Ability to consolidate and extend multiple & heterogeneous infosec specifications The process of compliance is an important component of ensuring IT security
controls are employed and used correctly. It is a continuous effort!