Ch5-2008 CISA 1_45_Imp of Info Security Mgmt

ISACA ISACA ®®

The recognized globalThe recognized globalleaders in IT governance,leaders in IT governance,

control, security andcontrol, security andcontrol, security and control, security and assuranceassurance

2008 CISA2008 CISA®® Review CourseReview Course

Chapter 5 Chapter 5 –– Protection of Protection of Information AssetsInformation Assets

Chapter 5Chapter 5

Importance of Information Security Management

Importance of Information S it M tSecurity Management

• The advent of electronic trading, the loss of organizational barriers the high-profile securityorganizational barriers, the high-profile security exposures such as viruses & denial-of-service attacks, intrusions, unauthorized access, , , ,disclosures and theft of credit card numbers over the internet, have raised the profile of information and privacy risk and the need for effective information security management

4


• Security objectives to meet organization’s business requirements include :business requirements include : – Ensure the continued availability of their

information systemsy– Ensure the integrity of the information stored on

their computer systems– Preserve the confidentiality of sensitive data

5


• Security objectives to meet organization’s business requirements include :business requirements include…: – Ensure conformity to applicable laws, regulations

and standards– Ensure adherence to trust and obligation in

relation to any information relating to an identified or identifiable individual

– Preserve the confidentiality of sensitive data in store and in transitstore and in transit

6


• Key Elements of Information Security ManagementManagement – Senior management commitment and support – Policies and proceduresPolicies and procedures– Organization– Security awareness and educationSecurity awareness and education– Monitoring and compliance– Incident handling and responseIncident handling and response

7


• Information Security Management Roles and Responsibilities :Responsibilities :– IS Security Steering Committee : It should be

established formally with appropriate terms of y pp preference

– Executive Management : Responsible for overall protection of information assets

– Security advisory group : Responsible for the review of the security plan of the organizationreview of the security plan of the organization

8


• More Management Roles & Responsibilities…:Chief Privacy Officer (CPO) : Articulate and– Chief Privacy Officer (CPO) : Articulate and enforce policies that are used to protect the customers’ and employees’ privacy rightsp y p y g

– Chief Security Officer (CSO) : Articulate and enforce policies that are used to protect the information assets

– Information assets and data owners : They are responsible for the owned assetsresponsible for the owned assets

9


• More Management Roles and Responsibilities…:Users : Use the assets following the procedures– Users : Use the assets following the procedures set out in the security policy

– External parties : Third party service providersExternal parties : Third party service providers and trading partners that deal with the information assets

– Security specialists/advisors : Assist with design, implementation and review of the security policies standards & procedurespolicies, standards & procedures

10


• More Management Roles and Responsibilities…:IT developers : Implement information security– IT developers : Implement information security within their applications

– IS auditors : Provide independent assurance toIS auditors : Provide independent assurance to the management on the appropriateness and effectiveness of information security objectives and the controls related to these security objectives

11


• Information Asset InventoriesThe inventory record of each information asset– The inventory record of each information asset should include :

• Clear identification of assetClear identification of asset• Location• Security/risk classification• Asset group• Owner

12


• Classification of Information AssetsInformation assets have varying degree of– Information assets have varying degree of sensitivity and criticality in meeting business objectivesj

– They should be classified according to a preset guideline

– Classifications should be simple and unambiguous

13


• Classification should define :Who is the owner?– Who is the owner?

– Who has access rights and to do what?The level of access to be granted to each– The level of access to be granted to each

– Who is responsible for determining the access rights and access levels?rights and access levels?

– What approvals are needed for access?

14


• System Access PermissionsIt is the prerogative to act on a computer resource– It is the prerogative to act on a computer resource

– For example, the ability to read, create, modify or delete a file or datadelete a file or data

– It is established, managed and controlled at the physical and/or logical level

15


• System Access Permissions…Physical system access controls restrict the entry– Physical system access controls restrict the entry and exit of personnel to an area such as an office building, suite, data center or server roomg, ,

– There are many types of physical access control such as lock/key, smart cards, memory cards, biometrics etc

16


• System Access Permissions…Logical system access controls restrict the use of– Logical system access controls restrict the use of logical resources of the system like data, programs, applications etcp g , pp

– IT assets under logical security can be grouped in four layers

• Networks• Platforms (Operating Systems)• Databases• Applications

17


• System Access Permissions…The information owner or manager who is– The information owner or manager who is responsible for the information should provide written authorization for users to gain accessg

– This should strictly be on need-to-know basis only– Logical access is implemented by the security

administrator

18


• System Access Permissions…Reviews of access authorization should be done– Reviews of access authorization should be done regularly to ensure that they are still valid

– Personnel & departmental changes maliciousPersonnel & departmental changes, malicious efforts, carelessness result in authorization creep and can impact the effectiveness of access controls

– When personnel leave, their system access should be immediately revokedshould be immediately revoked

19


• System Access Permissions…Non employees with access to company systems– Non-employees with access to company systems should also be held responsible for security compliance and accountable for security p ybreaches

– Non-employees include contract employees, vendor programmers, maintenance personnel, clients, auditors and consultants

20


• Mandatory and Discretionary Access ControlsMandatory (MAC)– Mandatory (MAC)

• Decided on the basis of the sensitivity of information resources

• Cannot be modified by users • Only the administrator can change the category of

a resource• Enforces corporate security policy

21


• Mandatory and Discretionary Access ControlsDiscretionary (DAC)– Discretionary (DAC)

• Enforces data-owner defined sharing of information resources

• These can be modified by data owners, at his/her discretion

• DAC cannot override MAC

22


• Privacy Management Issues and the Role of IS AuditorsAuditors– Privacy means adherence to trust and obligation

in relation to an identified or identifiable individual– It is an organizational matter which by nature

requires a consistent and homogeneous approach throughout the organization

23


• Privacy Management Issues and the Role of IS AuditorsAuditors– The goals of a privacy impact assessment

• Pinpoint the nature of personally identifiablePinpoint the nature of personally identifiable information associated with business processes

• Document the collection, use, disclosure and destruction of personally identifiable information

24


• Privacy Management Issues and the Role of IS AuditorsAuditors– The goals of a privacy impact assessment…

• Ensure that accountability for privacy issues existsEnsure that accountability for privacy issues exists• Be the foundation for informed policy, operations

and system design decisions based on an understanding of privacy risk and the options available for mitigating that risk

25


• The Role of IS AuditorsIdentify and understand legal requirements– Identify and understand legal requirements regarding privacy

– Check whether personal data are correctlyCheck whether personal data are correctly managed in these respects

– Verify that correct security measures are adopted– Review management’s privacy policy to ascertain

that it takes into consideration the requirements f li bl i lof applicable privacy laws

26


• Critical success factors to information security managementmanagement– Information Security Policy – Senior management commitment and support onSenior management commitment and support on

security training – Security Awareness Trainingy g– Professional Risk-based Approach

27


• Computer crime issues and exposuresThreats to business include the following:– Threats to business include the following:

• Financial loss : These losses can be direct or indirect

• Legal repercussions : There are numerous privacy and human rights laws an organization should

id h d l i it li iconsider when developing security policies• Loss of credibility or competitive edge : Many

organizations need credibility and public trust to g y pmaintain competitive edge

28


• Computer crime issues and exposuresThreats to business include the following :– Threats to business include the following…:

• Blackmail/industrial espionage : By gaining access, a perpetrator could obtain propriety information p p p p ywhich he can sell to a competitor or extort payments threatening to exploit the security breachS b t S t t l t t• Sabotage : Some perpetrators merely want to cause damage due to a dislike of the organization or for self gratification or for some political reasons

29


• Computer crime issues and exposuresThreats to business include the following :– Threats to business include the following…:

• Disclosure of confidential, sensitive or embarrassing information : Such events can gdamage the credibility of the organization. Legal action may also be the result of such disclosures

30


• It is important that the IS Auditor know and understand :understand :– Computer crime vs. computer abuse– Civil offense vs criminal offenceCivil offense vs. criminal offence– What constitutes a “Crime”?– When should a crime be suspected?When should a crime be suspected?– What should be done if a crime is suspected?

31


• Possible perpetrators include:Hackers : Persons with the ability to explore the– Hackers : Persons with the ability to explore the details of programmable systems and the knowledge to stretch or exploit their capabilities, g p p ,whether ethical or otherwise. Some often do not access a computer with the intention of destruction but this is often the result The termdestruction, but this is often the result. The term hack & crack are often used interchangeably

32


• Possible perpetrators include…:Script Kiddies : They refer to individuals who use– Script Kiddies : They refer to individuals who use scripts and programs written by others to perform their intrusions & are often incapable of writing p gsimilar scripts on their own

– Crackers : Those who try to break into someone else’s system without being invited to do so

33


• Possible perpetrators include…:Employees (authorized or unauthorized) :– Employees (authorized or unauthorized) : Affiliated with organizations and given access based on job responsibilities. These individuals j pcan cause significant harm. So screening prospective employees through appropriate background checks is an important means ofbackground checks is an important means of preventing computer crimes within the organizationg

34


• Possible perpetrators include…:IS personnel : These individuals have the easiest– IS personnel : These individuals have the easiest access to computerized information, since they are the custodians of this information. In addition to logical access controls, good segregation of duties and supervision help in reducing logical access violations by these individualsaccess violations by these individuals

35


• Possible perpetrators include…:End users : They have broad knowledge of the– End users : They have broad knowledge of the information within the organization and have easy access to internal resources

– Former employees : Be wary of former employees who have left on unfavorable terms, they may still have easy access to internal resources

36


• Possible perpetrators include…:Interested or educated outsiders : These may– Interested or educated outsiders : These may include:

• CompetitorsCompetitors• Terrorists• Organized criminals• Hackers looking for a challenge• Script Kiddies• Crackers

37


• Possible perpetrators include…:Part time and temporary personnel : Office– Part-time and temporary personnel : Office cleaners have a great deal of physical access and could perpetrate a crimep p

– Third parties : Vendors, consultants or other third parties can gain access through projects and could perpetrate a crime

– Accidental ignorant : Someone who unknowingly perpetrate a violationperpetrate a violation

38


• Security incident handling & response : To minimize damage from security incidents aminimize damage from security incidents, a formal incident response capability should be established

• It should include the following :– Planning & preparationg p p– Detection– Initiation– Evaluation

39


• It should include the following…:Containment– Containment

– EradicationResponse– Response

– Recovery– Closure– Closure– Post-incident reviews– Lessons learntLessons learnt

40


• The organization and management of incident response capability should be coordinated orresponse capability should be coordinated or centralized with the establishment of key roles and responsibilitiesp

• This should include :– A coordinator who acts as the liaison to business

process owners– A director who oversees the incident response

capability41


• This should include…:Manager who manages individual incidents– Manager who manages individual incidents

– Security specialists who detect, investigate, contain and recover from incidentscontain and recover from incidents

– Non-security technical specialists who provide assistance based on subject matter

– Business unit leader who liaisons between various departments

42


• An IS auditor should ensure that there is a formal documented plan which contains responsedocumented plan which contains response procedures to common security related incidents such as :– Virus outbreak– Web defacement– Abuse notification– Unauthorized access alert from audit trails– Hardware/Software theft

43


• Security related incidents such as…:Security attack alerts from intrusion detection– Security attack alerts from intrusion detection systems

– System root compromisesSystem root compromises– Physical security breaches– Spyware/Malware/Trojans detected on PCsSpyware/Malware/Trojans detected on PCs– Fake defamatory information in media– Forensic investigationsg

44

2008 CISA2008 CISA®® Review CourseReview Course

End of ModuleEnd of ModuleEnd of ModuleEnd of Module

Documents

Ch5-2008 CISA 1_45_Imp of Info Security Mgmt