ACG 6415 SPRING 2012

KRISTIN DONOVAN&

BETH WILDMAN

IT Security Frameworks

IT Security Frameworks

Governance Framework – specify how to do security planning and implementation

Multiple framework exists CobIT ISO/IEC 27000 COSO

Why are IT Security Frameworks needed?

Sarbanes-Oxley Act of 2002 (SOX) Section 404 – public companies must use an internal

control framework and perform annual assessments No specific framework is required

PCAOB Audit Standard No. 2 A control framework should be used to test the

effectiveness of accurate financial reporting

Information can be the most valuable asset a company has

COBIT & ISO 27000 FAMILY

Two Popular IT Security Frameworks

CobIT

Control Objectives for Information and Related Technology

Developed in conjunction with the “Big Four” accounting firms

Published by the IT Governance Institute

Broad framework to implement IT controls

CobIT

Focuses on four areas of control Planning and Organization (Plan) Acquisition and Implementation (Do) Delivery and Support (Check) Monitoring (Correct)

34 high level control objectives

318 detailed control objectives

CobIT

Maturity Model Tool for management to go through the company’s

current IT process and determine if they are effective or non-existent

Assists in determining which areas require more effort

Once the environment has been assessed, management can develop: Critical success factors Key performance indicators Key goal indicators

CobIT

Plan and Organize Necessary to ensure objectives of “Acquire &

Implement” and “Delivery & Support” are met

Establish the corporate vision

Determine level of acceptable risk

Focuses on the best way to implement the IT structure

CobIT

Plan and Organize Control Objectives1. PO1 – Define a strategic IT plan2. PO2 – Define the information architecture3. PO3 – Determine technological direction4. PO4 – Define the IT processes, organization, and

relationships5. PO5 – Manage the IT investment6. PO6 – Communicate management aims and direction7. PO7 – Manage IT human resources8. PO8 – Manage quality9. PO9 – Assess and manage IT risks10. PO10 – Manage projects

CobIT

Acquire and Implement After planning is completed, the company must

determine how to implement the new internal control process

Can involve acquiring new technologies

CobIT

Acquire and Implement Control Objectives1. AI1 – Identify automated solutions2. AI2 – Acquire and maintain application software3. AI3 – Acquire and maintain technology infrastructure4. AI4 – Enable operation and use5. AI5 – Procure IT resources6. AI6 – Manage changes7. AI7 – Install and accredit solutions and changes

CobIT

Deliver and Support Controls cost

Guarantees the three initiatives of confidentiality, availability, and integrity are in place

Ensures new controls are maintained

CobIT

Deliver and Support Control Objectives1. DS1 – Define and manage service levels2. DS2 – Manage third party services3. DS3 – Manage performance and capacity4. DS4 – Ensure continuous service5. DS5 – Ensure systems security6. DS6 – Indentify and allocate costs7. DS7 – Educate and train users8. DS8 – Manage service desk incidents9. DS9 – Manage the configuration10. DS10 – Manage problems11. DS11 – Manage data12. DS12 – Manage the physical environment13. DS13 – Manage operations

CobIT

Monitor and Evaluate Measures if the controls implemented are sufficient

Assurance that the company is meeting regulatory requirements

Attends to the issue of ongoing evaluation

CobIT

Monitor and Evaluate Control Objectives ME1 – Monitor and evaluate IT performance ME2 – Monitor and evaluate internal controls ME 3- Ensure compliance with external requirements ME4 – Provide IT governance

CobIT

Broad framework, covering a large range of internal controls

Does not give specific ways to make the companies information more secure

ISO 27000 Series

Issued by the International Standards Organization

Popular globally, used by companies within the US and those abroad

Includes multiple standards 27001 27002 27003 27004 27005 27006 27007 27008

ISO 27000 Series

ISO 27001 “Specifies the requirements for establishing,

implementing, operating, monitoring, reviewing, maintaining, and improving a documented Information Security Management System.” ISO

ISO 27002 Focuses on information security and lists controls and

control mechanisms which can be implemented to comply with ISO 27001

ISO 27000 Series

ISO 27002 Covers 11 main areas of information security management1. Security Policy – creating policies based on the

organization’s needs2. Organization of Information Security – managing of the

security infrastructure3. Asset Management – assigning responsibility for assets &

physical security of the assets4. Human Resource Security – personnel screening, code of

conduct, training, and a process to address violations5. Physical & Environmental Security – analyzing the

environment, securing physical perimeter, and appropriate controls

ISO 27000 Series

ISO 270026. Communications and Operations Management -

ensures correct and secure operations of assets7. Access Control – “Properly protect access to an

organization’s information, such as controls required to combat hacker attempts and other malicious attempts to access organization networks and information.” –Wallace

8. Information Systems Acquisition, Development, & Maintenance – discusses security requirements needed

9. Information Security Incident Management – plan for reporting and managing security events, incidents, and weaknesses

ISO 27000 Series

ISO 2700210. Business Continuity Management – plans to address

disruptions in normal operations and ongoing reassessment of plans

11. Compliance – “is intended to ensure that the organization avoids breaches of any criminal or civil law, as well as any statutory, regulator or contractual obligations, and of any security requirements.” - Calder

ISO 27000 Series

If all controls are implemented properly the company with be in compliance with SOX (in regards to IT security)

Focuses solely on IT security

CobIT vs. ISO 27000 Series

Compare Both relate to IT controls Created based on past experience Continuously refined

Contrast CobIT is a broad framework on how to implement internal

controls ISO focuses exclusively on IT security

Combination of CobIT & ISO 27000 provides an organization the best IT security.

ISO 27000 and CobIT Mapping

IT Governance institute has created a mapping between ISO 27000 and CobIT

Links ISO 27000 control objectives to each dimension in the CobIT framework

Results in a framework is high level enough to be integrated with IT governance and overall corporate governance

Also detailed enough to provide mangers with the necessary steps to implement these controls

ISO 27000 and CobIT Mapping

CobIT: Deliver & Support 5.2 Relates to identification, access, and authorization

“The logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication and authorization mechanisms, linking users and resources with access rules.” (IT Governance, COBIT Mapping)

ISO 27000 and CobIT Mapping

ISO objectives (listed in parenthesis next to detail below) state exactly what should be done to meet the requirements of COBIT DS5.2 Access of third parties should be controlled (4.2). Adequate privilege management should be included in

application systems. Authorizations should be documented and follow a defined process (9.2.2).

Passwords should be used for authentication. Passwords should be given to identified users in a secure manner and not in unprotected electronic mail messages (9.2.3).

Access controls to internal and external networked services should be in place (9.4).

ISO 27000 and CobIT Mapping

User authentication for external connections should be controlled. Access restrictions should be based on a risk assessment. Authentication should consider hardware tokens, challenge/response protocols, dial-back or other mechanisms (9.4.3).

Authentication mechanisms should be based on node authentication, if applicable (9.4.4).

Access controls (e.g., key locks) should ensure that only required access can be obtained. This should include procedures and arrangements (9.4.5).

Special access controls should be in place for shared networks (9.4.7).

Identity should be verified as part of operation system access control. Identification of the user’s location should be considered (9.5).

ISO 27000 and CobIT Mapping

Connection to specific locations should be based on automatic terminal identification, when appropriate (9.5.1).

Requirements for terminal logon procedures (e.g., maximum number of unsuccessful logon attempts) provided in the ISO standard should be considered (9.5.2).

A unique user ID should be required for all individuals. Users’ privileges should not be identifiable by the user ID. A shared user ID should be used only when a clear business case exists. Identification and authentication can be based on passwords, biometric technologies or a combination of technologies (9.5.3).

A good password management system raises the quality of passwords and should be implemented. Requirements for password management systems are provided in the ISO standard (9.5.4).

Access should be ended after defined time-out delay. Alternatively, screen savers that prevent unauthorized access to terminals can be used (9.5.7).

Conclusion

SOX strong focus on internal controls has required organizations to implement an IT governance framework

Companies must review and report on internal controls with management and external auditors

A combination of CobIT and ISO 27000 series is the best way to ensure compliance