• Home

  • Documents

  • Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n...
23
E February 2003 Strategies for Implementing Security

Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

E

February 2003

Strategies for Implementing Security

Page 2: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 2 -

#!@

Security Architecture Framework

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 3: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 3 -

#!@

Confidentiality, Integrity and Availability

§ Confidentiality – Ensuring that only authorized personnel have access to information

§ Integrity – Ensuring that information is unchanged and accurate

§ Availability – Ensuring that information is available to the user when it is needed

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 4: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 4 -

#!@

Business Drivers

§ Regulations

§ Guidelines

§ Business Requirements

§ Customer Requirements

§ Business Partner Requirements

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 5: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 5 -

#!@

Policies§ Demonstrate support for, and

commitment to, information security

§ States policy across the entire enterprise

§ Broad statement of principle

§ Long term; changed infrequently

§ Few in overall number

§ Provide overall direction for the organization

§ Mandatory; require formal exception process

§ Process and technology independent

§ Require a high level of authority to create, change or eliminate

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 6: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 6 -

#!@

Standards

§ Suitable for complying with policies

§ Specify a course of action

§ Mandatory; require formal exception process

§ Process and technology independent

§ Mid-level authority required to create, change or eliminate

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 7: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 7 -

#!@

Procedures / Guidelines

§ Process and/or technology dependent

§ Require a low level of authority to create, change or eliminate

§ May have a high level of complexity

§ Generally apply enterprise-wide, with some exceptions locally

§ May be situation-specific

§ May require formal exception process

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 8: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 8 -

#!@

Policy Management / Administration

§ Development: Planning and creation of the policy

§ Review: Assessment of the policy by an independent party

§ Approval: Authorizing implementation of the policy

§ Communication: Dissemination of policy to enterprise

§ Implementation: Initial execution of the policy

§ Compliance Monitoring: Tracking and reporting on the effectiveness

§ Exception Approval: Evaluation, documentation and tracking of exceptions

§ Maintenance: Ensuring currency

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 9: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 9 -

#!@

Asset Management - Process and Guidelines

– Provide simple, consistent and timely classification and authorization processes

– Balance between protection of and access to an organization’s business information

– Provide clear guidelines for employees and contractors for the classification and handling of information

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 10: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 10 -

#!@

Asset Management - Asset Inventory

– Maintain an inventory of assets, link those assets to owners, and identify technologies supporting key applications or groups of applications

– Enable organizations to track security controls implemented to protect assets

– Monitor support of ongoing threats that may be introduced to the asset environment

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 11: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 11 -

#!@

Technical Security Architecture

§ Multi-tiered centrally managed approach to Internet access

§ All access to the Internet is controlled via password protected proxy devices that filter inappropriate content

§ Third party connectivity is controlled via connections to distinct network segments

§ Connections to the enterprise network are only made after a review of controls at connecting organization

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 12: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 12 -

#!@

Technical Security Architecture

§ Network-based intrusion detection in place for all external network connections

§ Host-based intrusion detection in place for all business critical servers

§ Production data is strictly segmented from development data

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 13: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 13 -

#!@

Technical Security Architecture

§ Multiple tiers of virus protection exist

§ All email is filtered through a virus scanner

§ All file servers and workstations are protected via a managed (push-technology) virus protection solution

§ Encryption Standards are employed consistently across enterprise

§ Only Standards Based Encryption is used

§ Centralized Directory (LDAP) in useSecurity Program Compliance and Reporting Security Program Compliance and Reporting

Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 14: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 14 -

#!@

Processes and Operational Practices

§ Business Continuity Management– Critical Business Process are

identified and linked to Applications

– Business Applications are linked to IT Disaster Recovery Plans

§ Incident Response– Documented Incident Response

Plans define roles and actions

– Ensure proper control of information released to public

§ Identity and Access Management– Users are centrally managed

– Tools may assist in user provisioning

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 15: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 15 -

#!@

Processes and Operational Practices

– Security Development / Deployment

• A formal security requirements analysis of new applications and releases of existing applications

• Security is involved from the beginning

• Appropriate security controls including activity logs, strong authentication methods, secure data storage techniques, and data validation is included

• Certification and Accreditation

– Security Awareness and Education

• Regular Awareness conducted

– SLA Definition

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 16: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 16 -

#!@

Processes and Operational Practices

§ Security Monitoring– Monitoring all critical systems to

ensure compliance with Corporate configuration policies and standards

– Intrusion Detection linked to Incident Response

§ Physical Security– All Critical Servers located in Data

Center– Segmented from regular office

location– Adequate controls exist for access– Environmental Controls in place

§ Vulnerability Management– Process in place to obtain and review

vulnerabilities and ensure timely remediation

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 17: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 17 -

#!@

Processes and Operational Practices

§ Risk Management

– Formal process for conducting risk assessments

– Ongoing process

§ 3rd Part Security– Parameters for connecting 3rd parties

well documented

§ Asset Management – All business critical platforms have

security standards that are applied before deployment

– There are clearly documented and communicated exception policies for individual machines that may not meet corporate security standards

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 18: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 18 -

#!@

Processes and Operational Practices

§ Change Management

– Review all components: computer software, data transfers, database fields and structures, and hardware that could be impacted

– Database is maintained which contains the relationships between all applications, hardware, and data

– Change control review boards exist that have significant interaction with business leaders

– All program changes including infrastructure changes are reviewed

– Mirror images of production systems exist for comprehensive testing of programs

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 19: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 19 -

#!@

Technical Specifications

§ All Major Platforms are identified

§ Minimum Security Baselines for Specific platforms in use

§ Technical Specifications for technologies created before implementation

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 20: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 20 -

#!@

Security Organization - Executive Sponsorship

§ Security concerns are issues of corporate governance

§ Identify and communicate high level executive sponsorship to manage information security risks

§ Recognize information security as a business issue that requires people, technology, policy, and process to implement

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 21: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 21 -

#!@

Security Organization - Reporting Relationships

§ Industry trend is for Chief Information Security Officers (CISO) to report independent of the IT organization and directly to executive management

§ Leading practice is a direct reporting relationship to the CIO, with dotted line or committee interface to other business and operations executives

§ Some organizations have established dotted line interfaces to the audit committee

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 22: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 22 -

#!@

Security Organization - Structure

§ Structure is clearly defined and communicated in leading organizations

§ Reporting levels are appropriately aligned and have appropriate authority

§ Blends of both centralized and de-centralized security structure

§ Decentralized business unit or functional security units are aligned with centralized corporate security function

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management

Page 23: Strategies for Implementing Security · Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality ... Operating Systems

Ernst & Young Confidential and Proprietary- 23 -

#!@

Security Program Compliance and Reporting

§ Measures effectiveness of Security Program

§ Conducts Compliance reviews across all domains of influence

§ Reports across the Enterprise

§ Security Audits performed on Risk Based

§ Clear Goals have been defined for projects

Security Program Compliance and Reporting Security Program Compliance and Reporting Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality

Governance StructurePolicies

Technology-Independent Standards

Governance,Governance,Policies and StandardsPolicies and Standards

Technology Physical InformationAsset ProfileAsset Profile

Inventory, Ownership, Risk Profile, Classification

TechnologyTechnologySpecificationsSpecifications

Minimum Security Baselines

Operating Systems

DatabasesApplicationsNetworks

BusinessBusinessDriversDrivers

Business StrategiesIndustry Regulations

Acceptable Risk

People & People & OrganizationalOrganizationalManagementManagement

Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan

Technical Security ArchitectureTechnical Security Architecture

Processes andProcesses andOperational PracticesOperational Practices

BCP/DR/Crisis ManagementIncident ResponseIdentity & Access MgmtSecurity Development/DeploymentCertification & AccreditationSecurity Awareness/EducationSLA Definition / Management

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd Party SecurityAsset Management


Mirrors - Collectio Integer ad Petrus

Mirrors - Collectio Integer ad Petrus

Documents
Angelo Mai - Scriptorum Veterum Nova Collectio - Volume 1

Angelo Mai - Scriptorum Veterum Nova Collectio - Volume 1

Documents
Metrics, Metrics, Metrics (and tips) 2014 JobG8

Metrics, Metrics, Metrics (and tips) 2014 JobG8

Documents
Internal Auditing 101 - ACUIA · Internal Auditing 101 ... statements auditing, internal management auditing, information systems auditing, and investigations. Audit working papers

Internal Auditing 101 - ACUIA · Internal Auditing 101 ... statements auditing, internal management auditing, information systems auditing, and investigations. Audit working papers

Documents
Auditing (Introduction to Auditing)

Auditing (Introduction to Auditing)

Education
Angelo Mai - Scriptorum Veterum Nova Collectio - Volume 9

Angelo Mai - Scriptorum Veterum Nova Collectio - Volume 9

Documents
Futura Collectio von Viasit

Futura Collectio von Viasit

Documents
Software Metrics - ida.liu.seTDDC88/theory/12Metrics-before.pdf · Software metrics • Usage-based metrics • Verification & Validation metrics • Volume metrics • Structural

Software Metrics - ida.liu.seTDDC88/theory/12Metrics-before.pdf · Software metrics • Usage-based metrics • Verification & Validation metrics • Volume metrics • Structural

Documents
STA DARD STAI COLLECTIO - irp … · COLOR AND WOOD SPECIE OPTIONS STA DARD STAI COLLECTIO COLOR Optional Birch Cherry Red Oak aple Knotty Pine zocy, sheen add 15°;' add 4% tural

STA DARD STAI COLLECTIO - irp … · COLOR AND WOOD SPECIE OPTIONS STA DARD STAI COLLECTIO COLOR Optional Birch Cherry Red Oak aple Knotty Pine zocy, sheen add 15°;' add 4% tural

Documents
Michael D. Elliot, September, 2013 Collectio quadripartita ... · 2 Michael D. Elliot, September, 2013 Collectio quadripartita, Book 2 (Bodley 718) Source information is provided

Michael D. Elliot, September, 2013 Collectio quadripartita ... · 2 Michael D. Elliot, September, 2013 Collectio quadripartita, Book 2 (Bodley 718) Source information is provided

Documents
DAILY COLLECTIO N OF MARITIME PRESS CLIPPINGS 2014 – 276newsletter.maasmondmaritime.com/pdf/2014/276-03-10-2014.pdf · DAILY COLLECTIO N OF MARITIME PRESS CLIPPINGS 2014 – 276

DAILY COLLECTIO N OF MARITIME PRESS CLIPPINGS 2014 – 276newsletter.maasmondmaritime.com/pdf/2014/276-03-10-2014.pdf · DAILY COLLECTIO N OF MARITIME PRESS CLIPPINGS 2014 – 276

Documents
Angelo Mai - Scriptorum Veterum Nova Collectio - Volume 3

Angelo Mai - Scriptorum Veterum Nova Collectio - Volume 3

Documents
ACO II 2 1 Calcedonense (Collectio Novariensis)

ACO II 2 1 Calcedonense (Collectio Novariensis)

Documents
Angelo Mai - Scriptorum Veterum Nova Collectio - Volume 6

Angelo Mai - Scriptorum Veterum Nova Collectio - Volume 6

Documents
Michael D. Elliot, July, 2013 Collectio quadripartita, Book 1 ... · 4 Michael D. Elliot, July, 2013 Collectio quadripartita, Book 1 (Stuttgart HB VII 62) IN NOMINE DEI SUMMI INCIPIT

Michael D. Elliot, July, 2013 Collectio quadripartita, Book 1 ... · 4 Michael D. Elliot, July, 2013 Collectio quadripartita, Book 1 (Stuttgart HB VII 62) IN NOMINE DEI SUMMI INCIPIT

Documents
HIPAA Security Overview...Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality ... required under the final HIPAA privacy

HIPAA Security Overview...Auditing and Testing Metrics Definition and Collection Reporting (management, regulatory, 3rd party) Program Quality ... required under the final HIPAA privacy

Documents
ACO II 1 1 Calcedonense (Collectio Epistularum M H Actio I)

ACO II 1 1 Calcedonense (Collectio Epistularum M H Actio I)

Documents
Auditing with computers; Auditing procedure study;

Auditing with computers; Auditing procedure study;

Documents
Review of Expert Systems in Auditing - USC Marshall · expert systems in EDP Auditing, External . AUditing: Academic Systems, External Auditing: Commercial Systems, Governmental Auditing

Review of Expert Systems in Auditing - USC Marshall · expert systems in EDP Auditing, External . AUditing: Academic Systems, External Auditing: Commercial Systems, Governmental Auditing

Documents
 · 2020. 4. 20. · Audit Plan m.fl n.tJ õ.n. u.n n.yq Operation Auditing Operation Auditing Financial Auditing / Compliance Auditing Financial Auditing / Compliance Auditing Financial

 · 2020. 4. 20. · Audit Plan m.fl n.tJ õ.n. u.n n.yq Operation Auditing Operation Auditing Financial Auditing / Compliance Auditing Financial Auditing / Compliance Auditing Financial

Documents
Automated Mainframe Intelligence - neodbug · Top challenges listed by respondents ... –performance based metrics Budgetary considerations Compliance, auditing, and reporting SLA

Automated Mainframe Intelligence - neodbug · Top challenges listed by respondents ... –performance based metrics Budgetary considerations Compliance, auditing, and reporting SLA

Documents
Angelo Mai - Scriptorum Veterum Nova Collectio - Volume 10

Angelo Mai - Scriptorum Veterum Nova Collectio - Volume 10

Documents
Angelo Mai - Scriptorum Veterum Nova Collectio - Volume 8

Angelo Mai - Scriptorum Veterum Nova Collectio - Volume 8

Documents
Government Auditing Standards, Government Auditing Standards

Government Auditing Standards, Government Auditing Standards

Documents
Labbe. Sacrorum conciliorum nova et amplissima collectio . Tomus quinquagesimus tertius, Pars secunda. 1995

Labbe. Sacrorum conciliorum nova et amplissima collectio . Tomus quinquagesimus tertius, Pars secunda. 1995

Documents
Angelo Mai - Scriptorum Veterum Nova Collectio - Volume 7

Angelo Mai - Scriptorum Veterum Nova Collectio - Volume 7

Documents
A Study of the Syracusan Coins From the Ottilia Buerger Collectio

A Study of the Syracusan Coins From the Ottilia Buerger Collectio

Documents
2012/2013 COLLECTiON 2 012/2013 COLLECTiO N - … · 2 012/2013 COLLECTiO N. LA EMPRESA AGB - Alban Giacomo Spa produce desde 1947 una gama completa de componentes de herrajes, que

2012/2013 COLLECTiON 2 012/2013 COLLECTiO N - … · 2 012/2013 COLLECTiO N. LA EMPRESA AGB - Alban Giacomo Spa produce desde 1947 una gama completa de componentes de herrajes, que

Documents
ACO II 3 1 Calcedonense (Epistularum Ante Gesta Collectio Actio I)

ACO II 3 1 Calcedonense (Epistularum Ante Gesta Collectio Actio I)

Documents
Auditing Page Definition of Auditing Auditing is the Process By

Auditing Page Definition of Auditing Auditing is the Process By

Documents