IT Governance and Risk Management - etiuppcl.org€¦ · IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards Increasingly,

IT Governance and Risk Management Transforming UPPCL into digitally secure organization meeting world standards

© 2016 NTPC Ltd.

Bodh Raj , CISSP,CCSP,CISA,PMP

Additional General ManagerNTPC IT Department, Corporate Center

IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards

Agenda

Introduction: IT Governance

Fundamental Principles of IT Security

IT Security: Definitions & Control Types

IT Security Governance : Enterprise Security

IT Security Governance : Enterprise Security Frameworks

Introduction to IT Risk Management

© 2016 NTPC Ltd.2

Risk Assessment & Analysis Techniques

Policies, Standards, Baselines, Guidelines & Procedures

Information Classification in an Enterprise

Security: Layers of Responsibility

Introduction to Malicious Software

Anti Virus Software


Increasingly, Business Depends on IT for Competitive Advantage

© 2016 NTPC Ltd.3

BUSINESSBUSINESS ITBUSINESS IT


Increasingly, Business Depends on IT for Competitive Advantage

Bu

sin

ess

Va

lue

Engine for Competitive Advantage

Service

© 2016 NTPC Ltd.4

BUSINESS IT

Bu

sin

ess

Va

lue

Maturity

ServiceProvider

Support Function


The CIO Imperative

EXECS CUSTOMERS

IT SERVICESStrategy Access

Is IT doing the right things?

© 2016 NTPC Ltd.5

EXECS CUSTOMERS

Alignment Quality & Cost

Is IT doing things right?


The Problem: IT Complexity

IT SERVICES

EXECS

Services Applications Collaboration

Business Application Application CUSTOMERSEXECS

Services Collaboration

Business Application Application CUSTOMERS

© 2016 NTPC Ltd.6

EXECS Business Intelligence/Analytical Applications

Application Integration

Application Development Tools

Database OS Hardware Platform

CUSTOMERSEXECS Business Intelligence/Analytical Applications




CUSTOMERS


Managing IT in Silos Compounds the Problem

Services Applications Collaboration

Business Application Application EXECS

NE

TW

OR

KS

SY

ST

EM

S

HE

LP

DE

SK

AP

PLIC

AT

ION

S

DA

TA

BA

SE

S

SE

CU

RIT

YCUSTOMERS

NE

TW

OR

KS

SY

ST

EM

S

HE

LP

DE

SK

AP

PLIC

AT

ION

S

DA

TA

BA

SE

S

SE

CU

RIT

YEXECS CUSTOMERS

© 2016 NTPC Ltd.7

Business Intelligence/Analytical Applications




EXECS

AP

PLIC

AT

ION

S CUSTOMERS

AP

PLIC

AT

ION

SEXECS CUSTOMERS


An Integrated Approach Unifies and Simplifies IT Management

EXECS


CUSTOMERS

© 2016 NTPC Ltd.8

EXECS

Alignment Quality & Cost

CUSTOMERS



IT SERVICESStrategy

GOVERNANCE to make better decisions about IT investments and risk

EXECS CUSTOMERS

© 2016 NTPC Ltd.9

Alignment

EXECS CUSTOMERS



CUSTOME

IT SERVICESAccess

EXECS MANAGEMENT to


CUSTOMERS

© 2016 NTPC Ltd.10

CUSTOMERS

Quality & Cost

EXECS MANAGEMENT to ensure the right services are delivered at the right cost and quality

CUSTOMERS



EXECS USERS



MANAGEMENT to EXECS CUSTOMERS

© 2016 NTPC Ltd.11

EXECS USERS

Alignment

Quality & Cost

MANAGEMENT to ensure the right services are delivered at the right cost and quality

SECURITY to provide secure access to enable the business

EXECS CUSTOMERS


Enterprise IT Management


MANAGEMENT to

© 2016 NTPC Ltd.12

MANAGEMENT to ensure the right services are delivered at the right cost and quality

SECURITY to provide secure access to enable the business


Enterprise IT Management Changing the Economics of IT

Overcome IT Management Complexity

By Integrating IT Governance, Management and Security

Make better decisions about

IT investment and risk

Ensure the right services

Integrating the Disciplines of

IT Governance, UNIFIED UNIFIED

© 2016 NTPC Ltd.13

Ensure the right services are delivered at the

right cost and quality

Provide secure access to enable

the business

IT Governance, Management and Security

By Providing a Common View

of a Service

UNIFIED

SERVICE

MODEL

UNIFIED

SERVICE

MODEL


EITM: Transforming IT Management

Governance,

Management

(Infrastructure

and Service) and

EITM

Automated

Marketing, Sales

Force

Inventory,

Payroll, GL

Accounts

Payable, Components

CRMERPCategory

© 2016 NTPC Ltd.14

CIO

and Service) and

Security

of IT

EVP, SalesCFOChampion

Force

Automation,

Customer Service

Payable,

Accounts

Receivables

Components

Common View of a Service

Common View of

a Customer

Common

Financial ViewPivotal Insight


Enterprise IT Management Vision

UNIFIED

GOVERN

MANAGE

GOVERN

Enterprise IT

© 2016 NTPC Ltd.15

UNIFIED

SERVICE

MODEL

MANAGEMANAGE

SECURE

Enterprise ITManagement

EITMEITM

IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standardsUPPCL

Enterprise IT Management Focus Segments

ApplicationPerformance Management

Service Management

ApplicationPerformance Management

Service Management

© 2016 NTPC Ltd.16

IT Security Management

Data CenterAutomation

ITGovernance

Infrastructure Management

EITMIT Security

Management

Data CenterAutomation

ITGovernance

Infrastructure Management

EITM


Business exists to make money

No business existed to specifically deploy and maintain firewalls, IDS , IPS & SIEM devices

Organizations have many other thighs to do than practice security

Reality……

© 2016 NTPC Ltd.

than practice security

No business really wanted to develop hundreds of security policies, deploy antimalware products and have to comply to security regulations , IT Act , SOX, HIPPA, PCI-DSS

Business owners make products, sold products and happily go home every day

17

But the fact is ……….


Today’s business risk comes in many forms

Changing environment

– Increased global and regional interdependencies

– Supply chain disruption

– Expanding risk exposures

Greater impact of business disruption

© 2016 NTPC Ltd.

Greater impact of business disruption

– Greater financial implications of downtime

– Brand vulnerabilities

– Data integrity requirements

More complex regulations

– Changing industry and regulatory standards

– Geographic dispersal requirements

– Varying regulations per country

18


Today’s business risk comes in many forms

Attackers stealing business’s customer data

– Carryout identity thefts banking fraud

– Steal company’s secrets involving corporate espionage

– Systems being hijacked with botnets

– Company funds being secretly siphoned off

© 2016 NTPC Ltd.

– Company funds being secretly siphoned off

– Company systems being used as zombies for terrorist activities

– Company systems are rendered offline by competitors using DDOS attacks

The entire scenario of doing business has changed in recent times….. There is ongoing war between IT security team and the bad

guys, each trying to outwit each other with latest tools & techniques

19


CSO,CIO,CISO are having tough time equipping organizations with best safeguards in place

What should I do ……. ?

Where do I start …… ?

What are the best practices …. ?

How do I continuously monitor these efforts …. ?

How do I evaluate the safeguard effectiveness…..?

How do I put up to the management for allocation of funds for safeguards …?

© 2016 NTPC Ltd.

safeguards …?

How do I justify my new requirement ….. ?

………………….

………………………………..

……………………………………….

…………………………………………….

There are many questions that may arise in the minds of C level executives in the organization …

Have a strong IT Security Implementation across the enterprise ……

20


Lets look at fundamentals of …. IT Security

Information Security TRIAD

© 2016 NTPC Ltd.21

Purpose of information security (IT security) is to protect an organization's valuable resources, such as information, hardware and software.


Fundamental Principles of IT Security

Availability– The protection ensures reliability and timely access to data and

resources– Common Threats to availability : Power Supply, Virus Attacks , Floods etc

Integrity– It is assurance of accuracy and reliability of information.

© 2016 NTPC Ltd.

– It is assurance of accuracy and reliability of information. Prevention of any unauthorized modification in data.

– Common Threats to Integrity: Virus , Logic Bomb, Backdoor etc

Confidentiality– Enforcement of necessary level of secrecy at each junction of

data processing– Common threats to Confidentiality: Network Monitoring, Social Engineering,

Stealing passwords, Shoulder Surfing

22


Control Types ….

Controls are put into place to reduce the risk an organization faces

Three types: -

– Administrative Controls or soft controls

– Technical controls

– Physical controls

Defense in Depth

Multiple security controls in layered approach

Functionalities they offer

- Deterrent

- Preventive

- Corrective

- Recovery

© 2016 NTPC Ltd.

Multiple security controls in layered approach

23

- Recovery

- Detective

- Compensating

Security through Obscurity This is assuming that your

enemies are not as smart as you are and they cannot figure out something that you feel is very

tricky


Examples of ControlsCategory Preventive

(Avoid)Detective(Identify)

Corrective(Correct)

Deterrent(Discourage)

Recovery(Restore)

Physical

Fences XLocks XI Cards XAdministrative

© 2016 NTPC Ltd.24

Security Policy XMonitoring & Supervising

X

Job Rotation XTechnical

Encryption XServer Images XData Backup X


Lets Look at some definitions…..

Vulnerability : It is a lack of a countermeasure or weakness in a countermeasure that is in place. It may be hardware, software, procedural or human weakness in place.

Threat : It is any potential danger that is associated with the exploitation of vulnerability. The threat is that someone or something. Will identify a specific vulnerability and use it against a company of individual.

Risk : It is the likelihood of a threat agent exploiting a vulnerability and

© 2016 NTPC Ltd.

Risk : It is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. Risk ties the vulnerability, threat and likelihood of exploitation to the resulting business impact.

Exposure : It is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages.

Control : A countermeasure is put into place to mitigate (reduce) the potential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates the vulnerability or that reduces the likelihood of a threat agent will be able to exploit a vulnerability.

25


Security Program – Lets understand the concept ….

Why Security Program …….– Avoid adhoc approach

– Deploy stovepipe solutions

– Avoid constantly “Putting out fires approach”

– Avoid security surprises in the organization

So we do not want our organization to be built on smoke and mirrors

and we also understand that we cannot trick our enemies.

© 2016 NTPC Ltd.

A security program is a framework made up of many

- Entities - Logical, administrative and physical protection mechanisms

- Procedures

- Business processes

- People

They all work together to provide protection level to an environment.

Each has an important role and if one is missing or incomplete, the whole framework may be affected

Lets see some Standard Security Frameworks ………26


Building a Fortress aka Security Program -

ISO/IEC 27000 Series. Originally derived from BS7799

Follows

• Plan – Do- Check – Act (PDCA) Cycle

ISO/IEC 27000 – Overview and Vocabulary

27001 - ISMS requirements

27002 - Code of practice for information security management

27003 - Guidelines for ISMS Implementation

27004 - Guidelines for information security mgmt measurement

© 2016 NTPC Ltd.

27004 - Guidelines for information security mgmt measurement

27005 - Guidelines for information security risk management

27006 - Guidelines for bodies providing audit and certifications of

ISMS

27031-1 Guidelines for network security

The list continues ……….

27


Enterprise Architecture Frameworks -

Zachman framework

– Has six basic communication interrogatives ( What, How, Where, Who, When and Why)

– Intersecting with different viewpoints ( Planner, Owner, Designer, Builder, Implementer & Worker)

This framework aims at looking at the same organization from different views.

It is not security oriented framework.

© 2016 NTPC Ltd.28


Enterprise Architecture Frameworks

The Open Group Architecture Framework (TOGAF)

Can be used to develop and create individual architectures in an organization

- Business Architecture

- Data Architecture

- Application Architecture

- Technology Architecture

© 2016 NTPC Ltd.

Uses ADM iterative process of reviewing

and updating architectures as needed

29


Enterprise Architecture Frameworks

Department of Defense Architecture framework (DODAF)

– Spans different complex Government Agencies

– These agencies have interoperability and proper hierarchical communication

– The focus of the frameworks is on command , control, communications, computers, intelligence, surveillance, and reconnaissance systems and processes

– The framework helps to ensure that all systems, processes, and personnel work in concerted effort to accomplish missions

DODAF

© 2016 NTPC Ltd.

personnel work in concerted effort to accomplish missions

Ministry of Defense Architecture Framework (MODAF)

– Based primarily on DODAF

– Crux is to able to get data in the right format to the right people as soon as possible

– In alignment to quick war decisions so that activities happen fast

30


Enterprise Architecture Frameworks -

• To figure out which architecture framework is best for any organization

– Find out who are the stakeholders

– What information they need

© 2016 NTPC Ltd.

– The main difference between the various enterprise architecture framework is what type of information are they providing and how they are providing

Lets now move ahead with Enterprise Security Architecture Frameworks ………

31


Enterprise Security Architecture Frameworks -

What are they ?

They are subset of Enterprise Architecture

Defines the Information Technology Strategy consisting of

– Layers of solutions , processes, and procedures

and the way they are linked across and enterprise

– Strategically

– Tactically

© 2016 NTPC Ltd.

– Tactically

– Operationally

Why they are required ?

They ensure that security efforts align with business practices in a standardized and cost effective manner

Provides frame of reference

Allows organization to better achieve interoperability, integration, ease-of-use, standardization and governance

32

Lets see some Enterprise Security Architecture model frameworks ………


Enterprise Security Architecture Frameworks -

Sherwood Applied Business Security Architecture (SABSA)

Similar to Zachman framework

A layered model

Provides chain of traceability

Outlines following question to be answered at each level What are you trying to do at this layer ?

The assets to be protected by security architecture

© 2016 NTPC Ltd.

Why are you doing it ?

The motivation for wanting to apply security, expressed at this layer

How are you trying to do it ?

The functions needed to achieve security at this layer

Who is involved ?

The people and organizational aspects of security at this layer

Where are you doing it ?

The locations where the security shall be applied

When are you doing it ?

The time – related aspects of security relevant to this layer

33

SABSA


Security Control Development -

Now we have

– ISO/IEC 27000 program series outlining the components of organizational security program

– Security enterprise architecture which helps to integrate the requirements outlined in our security program into our existing business structure

Now it’s the time to focus and look at the objectives of the controls we are going to put into place to accomplish the goals outlined in our security program and

© 2016 NTPC Ltd.

put into place to accomplish the goals outlined in our security program and enterprise architecture

Some Control frameworks

– CobiT

– NIST 800-53

– COSO

34

Lets see them one by one ………….


Security Control Frameworks -

CobiT – Control Objectives for Information and related

Technology

– Developed by Information System Audit and Control Association ( ISACA) & IT Governance Institute (ITGI)

– Defines goals for the controls to properly manage IT and to ensure that IT maps to business needs

– Has four domains and further drill downs to each subcategories :

• Plan & Organize

• Acquire & Implement

• Deliver & Support

• Monitor & Evaluate

• Acquire and Maintain Application Software

• Acquire and Maintain Technology Infrastructure• Develop and maintain procedures• Install and Accredit Systems• Manage Changes

© 2016 NTPC Ltd.

• Monitor & Evaluate

– Framework mostly used in Commercial Organizations

– CobiT domain provides goals and guidance to companies that they can follow when they purchase, install, test, certify and accredit IT systems

– Provides checklist approach to IT Governance by providing a list of things that must be thought through and accomplished when carrying out different IT function

– Provides executive summaries, management guidelines, frameworks, control objectives, implementation toolset, performance indicators, success factors, maturity models and success factors

35


Security Control Frameworks -

COSO – Committee of Sponsoring Organizations– Developed by the committee of sponsoring organizations of the

Treadway commission in 1985

– Deals with fraudulent financial activities and reporting

– COSO is model for corporate governance

– SOX is based on COSO model

– COSO deals with non-IT items also

– COSO is made up of the following components :-

• Control Environments– Management Philosophy and operating style

COSO

© 2016 NTPC Ltd.

– Company culture as it pertains to ethics and fraud

• Risk Assessment– Establishment of risk objectives

– Ability to manage internal and external change

• Control activities– Policies, procedures, and practices put in place to mitigate risk

• Information and Communication– Structure that ensures that the right people get the right information at

the right time

• Monitoring– Detecting and responding to control deficiencies

Companies commonly implement ISO/IEC 27000 standards and CobiT to help construct and maintain

their internal COSO structure

36


Process Management Development -

ITIL– Standard of best practices for IT service

management

– Focus is more toward internal service level agreements between IT department and

After ensuring that we have proper controls in place we also want to have ways to construct and improve our business, IT and security processes in structured and controlled manner

© 2016 NTPC Ltd.3737

agreements between IT department and ‘customers’ it serves

Six Sigma

– Developed by Motorola

– Process improvement methodology

– Uses statistical methods for measuring operation efficiency and reducing variation, defects and waste

– Used in security assurance industry in some instances to measure the success factors of different controls and procedures


Process Management Development -

Capability Maturity Model Integration (CMMI)

– Aims to develop structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes and security posture

Blueprints

© 2016 NTPC Ltd.3838

These are important tools to identify, develop and design security requirements for specific business needs

Presents granular layout of a process

They layout security solutions, processes and components the organization chooses to use to match its security and business needs


Putting what we have learnt till now all together ……

ISO/IEC 27000

Security Enterprise Architecture (SABSA)

Blueprint

Control Objectives (CobiT)

Process Management and Improvement (ITIL, Six Sigma, CMMI)

Description of House

Layout of House

Detailed Descriptions

Specifications and codes

Daily Process Improvement

© 2016 NTPC Ltd.3939

Two Story House


IT Risk Management …..

Vulnerability : It is a lack of a countermeasure or weakness in a countermeasure that is in place. It may be hardware, software, procedural or human weakness in place.

Threat : It is any potential danger that is associated with the exploitation of vulnerability. The threat is that someone or something. Will identify a specific vulnerability and use it against a company of individual.

Risk : It is the likelihood of a threat agent exploiting a vulnerability and

© 2016 NTPC Ltd.

Risk : It is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. Risk ties the vulnerability, threat and likelihood of exploitation to the resulting business impact.

Exposure : It is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages.

Control : A countermeasure is put into place to mitigate (reduce) the potential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates the vulnerability or that reduces the likelihood of a threat agent will be able to exploit a vulnerability.

40


Risk Management … Life is full of risk

Why risk management is required in an organization ?

Identification of critical assets Identification

Discover threats that put assets to risks Discovery

Estimate possible damage that can happen Estimation

Protect the assets from potential damages Protection

Estimate risk acceptance Acceptance

© 2016 NTPC Ltd.41

Types of Risks

Physical Damage Fire, water, vandalism, power loss, & natural disasters

Human Interaction Accidental or intentional action or inaction that can disrupt productivity

Equipment malfunction Failure of systems and peripheral devices

Inside and outside attacks Hacking, cracking and attacking

Misuse of data Sharing trade secrets, fraud, espionage

Application error Computation errors, input errors and buffer overflows


Risk Management Methodologies

NIST SP 800 -30 : US Federal Govt. Standard

• Also known as “ Risk Management Guide for Information Technology Systems”

• Specific IT Threats and how they relate to information security threats

• Lays down following steps -• System Characterization

© 2016 NTPC Ltd.42

• System Characterization

• Threat Identification

• Vulnerability Identification

• Control Analysis

• Likelihood determination

• Impact analysis

• Risk Determination

• Control Recommendation

• Results documentation

Note: Does not cover larger organizational threats types, as in natural disasters , succession planning, environmental issues or how security risks relate to business risks



FRAP – Facilitated Risk Analysis Process

• Qualitative methodology

• Focuses on systems that really need assessing to reduce costs & time

• Uses one system one application at one time approach

• Systems are prioritized on the basis of criticality

• Risk Management Team documents the controls required

© 2016 NTPC Ltd.43

• Action plans are put in action to implement controls

• Remember

• Here criticalities of the risks are determined based on the experience of the team

• Goal is to keep the scope of assessment small and simple to allow for efficiency and cost effectiveness.



Octave – Operationally Critical Threat , Asset, Vulnerability Evaluation

• People in power positions manage and direct the risk evaluation

• Self directed team approach

• Aided by a facilitator who understands the risks better

• Has wide scope and assess all systems, applications and business processes

© 2016 NTPC Ltd.44

AS/NZS 4360

• Focus on health of a company

• Used to understand company’s financial , capital, human safety, and business decision risks

• No focus on security



FMEA – Failure Mode and Effect Analysis• Approach that dissects a component into basic functions to identify

flaws and those flaws effects

• Method used to determine functional failures and assessing its causes

Example - Used to determine single point of failures in a network

• Prediction of failures that may happen in future and locate those areas that may impact business

• Take corrective measures before they become actual liabilities

FMEA

© 2016 NTPC Ltd.45

Fault Tree Analysis

• Approach to map specific flaws to root causes in complex systems

• Used for discovering complex failures modes in more complex environments and systems

• Examples –

• False alarms

• Sequencing or order

• Incorrect timing inputs

Fault Tree Analysis


Risk Analysis Approaches

Quantitative Analysis

• Assigns monetary and numeric value to all elements of the risk analysis process

SLE or Single loss expectancy Potential loss associated with single event a threat can cause

EF or Exposure factor Percentage of loss a realized threat could have on a certain asset

ARO or Annual rate of Occurrence Represents the estimated frequency of specific threat taking place

within a 12 month time frame

Example : Data center has asset value of 250 cr.

© 2016 NTPC Ltd.46

Example : Data center has asset value of 250 cr.

If there is a fire and it is estimated that 25% of Data Center would be damaged

Probability of fire event taking place is 1 in 10 years or ARO = 0.1 ( Past learning)

Calculating SLE

Asset Value x Exposure factor (EF) = SLE There fore in our example the SLE will be 62.5 Cr.

SLE x Annual Rate of Occurrence = ALE (Annual Loss Expectancy) or ALE will be 6.25 Cr

Conclusion: It would be wise to deploy controls/safeguards to curtail the threat for a value less than or equal to 6.25 Cr



Qualitative Analysis

• Involves walk through different scenarios and ranks the seriousness of threats

• Includes judgment, best practices, intuition and experience

• Qualitative techniques: -• Delphi Brainstorming

• Storyboarding Focus-groups

• Surveys Questionnaire

• Checklists One to one meetings

• Interviews

© 2016 NTPC Ltd.47

• Interviews

The exposure possibility and loss probability can be ranked as High, Medium or Low on a scale of 1 to 5 or 1 to 10.

Threat =Hacker Accessing Confidential Information

Severity of Threat

Probability of threat taking place

Potential loss to the company

Effectiveness of Firewall

Effectiveness of Intrusion Detection

System

Effectiveness of Honey pot

IT Manager 4 2 4 4 3 2

Database Administrator 4 4 4 3 4 1

Application Programmer 2 3 3 4 2 1

System Operator 3 4 4 4 4 2

Operational Manager 5 4 4 4 4 2

Results 3.6 3.4 3.6 3.8 3 1.4



Control Selection

• Should be cost effective – Benefit should outweigh costs

• Requires cost/benefit analysis

• Commonly used cost benefit analysis : -

( ALE before implementing safeguard) – (ALE after implementing safeguard) –(annual cost of safeguard) = value of safeguard to the company

© 2016 NTPC Ltd.48

• Example

• ALE of a threat of a hacker bringing down a web server is Rs. 12000

• ALE after implementation of Intrusion Detection System (IDS) is Rs 2000

• Annual maintenance of IDS is Rs 400

Value of safeguard (IDS) to company = 12000-2000-400 = Rs . 9600



Total Risk

• Company chooses not to implement any safeguard

• Cost / benefit analysis indicate high safeguard costs

We have

Threats x vulnerability x asset value = total risk

Residual Risk

© 2016 NTPC Ltd.49

Residual Risk

• No company can remove all threats (100%) using any safeguards

• It is the level of risk the company is going to accept

We have

Total Risk – Countermeasures = Residual Risk


Handling Risks

Four ways to deal with organizational risks

• Transfer Risk

Insurance is available to companies to protect their assets

• Avoid

Vulnerable Service discontinuation

© 2016 NTPC Ltd.50

• Reduce

Implementation of firewalls, IDS or IPS where risk levels are reduced

• Accept

Potential cost of loss is lower than the cost of counter measure. Management decides on the basis of cost/benefit analysis.


Policies , Standards, Baselines, Guidelines and Procedures

• Security Policy

• General statement by Senior Management that dictates what role security plays within the organization

• Lays out program goals, assigns responsibilities, shows strategic and tactical value of security and outlines how law enforcements should be carried out

• Must address relative laws, regulations, and liability issues and how they are to be satisfied

• Provides process for dealing with those who choose not to comply with the security policy and a structured method for response to non-compliance.

• Types of policies

• Regulatory

© 2016 NTPC Ltd.51

• Regulatory

• Ensures that organizations are following standards

• Specific to Industry

• Used mostly in Govt. Industries

• Example . HIPPA, SOX, PCI-DSS

• Advisory

• Strongly advises employees as to which types of behaviors and activities should and should not take place with possible ramifications

• Informative

• Informs employees of certain topics

• Not enforceable but rather teaches individuals about specific issues relevant to the company


Policies , Standards, Baselines, Guidelines and Procedures

• Standards

• Refer to mandatory activities, actions, or rules.

• They provide policy its support and reinforcement in direction

• Examples• Provide expected user behavior

• Standard for use of hardware and software in an organization

• Standards for using encryption for confidential data in rest or on wire

• Display of company identity cards by employees

• Baselines• Refers to a point in time that is used as a comparison for future changes

© 2016 NTPC Ltd.52

• Refers to a point in time that is used as a comparison for future changes

• It is a consistent reference point

• Defines the minimum level of protection required

• Security personnel must assess the systems as changes take place and ensure that the baseline level of security is always being met.

• Guidelines

• They are recommended actions and operational guides to users, IT Staff, operations staff and others when specific standards to not apply.

• These are general purpose approaches that provide the necessary flexibility for unforeseen circumstances

• Procedures

• These are detailed step by step tasks that should be performed to achieve a certain goal.

• They are the lowest level in the documentation chain as they are closest to users and computers

• Procedures spell out how the policy standards and guidelines will actually be implemented in operating environment


Organization Security Program

© 2016 NTPC Ltd.53


Thanks

© 2016 NTPC Ltd.54

Documents

IT Governance and Risk Management - etiuppcl.org€¦ · IT Security Governance and Risk Management: Transforming NTPC into digitally secure organization meeting world standards Increasingly,