ISACA

The recognized global leaders in IT governance, control, security and assurance

2008 CISA Review Course CISA

Chapter 5 Protection of Information Assets

Chapter 5
Importance of Information Security Management

Importance of Information Security Management S it M t

The advent of electronic trading, the loss of organizational barriers the high-profile security barriers, exposures such as viruses & denial-of-service attacks, intrusions, unauthorized access, , , , disclosures and theft of credit card numbers over the internet, have raised the profile of information and privacy risk and the need for effective information security management
4

Importance of Information Security Management S it M t

Security objectives to meet organizations business requirements include :

Ensure the continued availability of their information systems y Ensure the integrity of the information stored on their computer systems Preserve the confidentiality of sensitive data

Importance of Information Security Management S it M t

Security objectives to meet organizations business requirements include : include:

Ensure conformity to applicable laws, regulations and standards Ensure adherence to trust and obligation in relation to any information relating to an identified or identifiable individual Preserve the confidentiality of sensitive data in store and in transit
6

Importance of Information Security Management S it M t

Key Elements of Information Security Management

Senior management commitment and support Policies and procedures Organization Security awareness and education Monitoring and compliance Incident handling and response
7

Importance of Information Security Management S it M t

Information Security Management Roles and Responsibilities :

IS Security Steering Committee : It should be established formally with appropriate terms of y pp p reference Executive Management : Responsible for overall protection of information assets Security advisory group : Responsible for the review of the security plan of the organization
8

Importance of Information Security Management S it M t

More Management Roles & Responsibilities:

Chief Privacy Officer (CPO) : Articulate and enforce policies that are used to protect the customers and employees p p y privacy rights y g Chief Security Officer (CSO) : Articulate and enforce policies that are used to protect the information assets Information assets and data owners : They are responsible for the owned assets
9

Importance of Information Security Management S it M t

More Management Roles and Responsibilities:

Users : Use the assets following the procedures set out in the security policy External parties : Third party service providers and trading partners that deal with the information assets Security specialists/advisors : Assist with design, implementation and review of the security policies, policies standards & procedures
10

Importance of Information Security Management S it M t

More Management Roles and Responsibilities:

IT developers : Implement information security within their applications IS auditors : Provide independent assurance to the management on the appropriateness and effectiveness of information security objectives and the controls related to these security objectives

11

Importance of Information Security Management S it M t

Information Asset Inventories

The inventory record of each information asset should include :
Clear identification of asset Location Security/risk classification Asset group Owner
12

Importance of Information Security Management S it M t

Classification of Information Assets

Information assets have varying degree of sensitivity and criticality in meeting business objectives j They should be classified according to a preset guideline Classifications should be simple and unambiguous
13

Importance of Information Security Management S it M t

Classification should define :

Who is the owner? Who has access rights and to do what? The level of access to be granted to each Who is responsible for determining the access rights and access levels? What approvals are needed for access?

14

Importance of Information Security Management S it M t

System Access Permissions

It is the prerogative to act on a computer resource For example, the ability to read, create, modify or delete a file or data It is established, managed and controlled at the physical and/or logical level

15

Importance of Information Security Management S it M t

System Access Permissions

Physical system access controls restrict the entry and exit of personnel to an area such as an office building, suite, data center or server room g, , There are many types of physical access control such as lock/key, smart cards, memory cards, biometrics etc

16

Importance of Information Security Management S it M t

System Access Permissions

Logical system access controls restrict the use of logical resources of the system like data, p g programs, applications etc , pp IT assets under logical security can be grouped in four layers
Networks Platforms (Operating Systems) Databases Applications
17

Importance of Information Security Management S it M t

System Access Permissions

The information owner or manager who is responsible for the information should provide written authorization for users to gain access g This should strictly be on need-to-know basis only Logical access is implemented by the security administrator

18

Importance of Information Security Management S it M t

System Access Permissions

Reviews of access authorization should be done regularly to ensure that they are still valid Personnel & departmental changes malicious changes, efforts, carelessness result in authorization creep and can impact the effectiveness of access controls When personnel leave, their system access should be immediately revoked
19

Importance of Information Security Management S it M t

System Access Permissions

Non employees with access to company systems Non-employees should also be held responsible for security compliance and accountable for security p y breaches Non-employees include contract employees, vendor programmers, maintenance personnel, clients, auditors and consultants

20

Importance of Information Security Management S it M t

Mandatory and Discretionary Access Controls

Mandatory (MAC)
Decided on the basis of the sensitivity of information resources Cannot be modified by users Only the administrator can change the category of a resource Enforces corporate security policy

21

Importance of Information Security Management S it M t

Mandatory and Discretionary Access Controls

Discretionary (DAC)
Enforces data-owner defined sharing of information resources These can be modified by data owners, at his/her discretion DAC cannot override MAC

22

Importance of Information Security Management S it M t

Privacy Management Issues and the Role of IS Auditors

Privacy means adherence to trust and obligation in relation to an identified or identifiable individual It is an organizational matter which by nature requires a consistent and homogeneous approach throughout the organization

23

Importance of Information Security Management S it M t

Privacy Management Issues and the Role of IS Auditors

The goals of a privacy impact assessment
Pinpoint the nature of personally identifiable information associated with business processes Document the collection, use, disclosure and destruction of personally identifiable information

24

Importance of Information Security Management S it M t

Privacy Management Issues and the Role of IS Auditors

The goals of a privacy impact assessment
Ensure that accountability for privacy issues exists Be the foundation for informed policy, operations and system design decisions based on an understanding of privacy risk and the options available for mitigating that risk

25

Importance of Information Security Management S it M t

The Role of IS Auditors

Identify and understand legal requirements regarding privacy Check whether personal data are correctly managed in these respects Verify that correct security measures are adopted Review managements privacy policy to ascertain that it takes into consideration the requirements of applicable privacy l f li bl i laws
26

Importance of Information Security Management S it M t

Critical success factors to information security management

Information Security Policy Senior management commitment and support on security training Security Awareness Training y g Professional Risk-based Approach

27

Importance of Information Security Management S it M t

Computer crime issues and exposures

Threats to business include the following:
Financial loss : These losses can be direct or indirect Legal repercussions : There are numerous privacy and human rights laws an organization should consider when d id h developing security policies l i it li i Loss of credibility or competitive edge : Many g y public trust to organizations need credibility and p maintain competitive edge
28

Importance of Information Security Management S it M t

Computer crime issues and exposures

Threats to business include the following : following:
Blackmail/industrial espionage : By gaining access, a perpetrator could obtain p p y information p p propriety which he can sell to a competitor or extort payments threatening to exploit the security breach S b t Sabotage : Some perpetrators merely want to S t t l tt cause damage due to a dislike of the organization or for self gratification or for some political reasons
29

Importance of Information Security Management S it M t

Computer crime issues and exposures

Threats to business include the following : following:
Disclosure of confidential, sensitive or embarrassing information : Such events can g damage the credibility of the organization. Legal action may also be the result of such disclosures

30

Importance of Information Security Management S it M t

It is important that the IS Auditor know and understand :

Computer crime vs. computer abuse Civil offense vs criminal offence vs. What constitutes a Crime? When should a crime be suspected? What should be done if a crime is suspected?

31

Importance of Information Security Management S it M t

Possible perpetrators include:

Hackers : Persons with the ability to explore the details of programmable systems and the knowledge to stretch or exploit their capabilities, g p p , whether ethical or otherwise. Some often do not access a computer with the intention of destruction, destruction but this is often the result The term result. hack & crack are often used interchangeably

32

Importance of Information Security Management S it M t

Possible perpetrators include:

Script Kiddies : They refer to individuals who use scripts and programs written by others to perform their intrusions & are often incapable of writing p g similar scripts on their own Crackers : Those who try to break into someone elses system without being invited to do so

33

Importance of Information Security Management S it M t

Possible perpetrators include:

Employees (authorized or unauthorized) : Affiliated with organizations and given access based on job responsibilities. These individuals j p can cause significant harm. So screening prospective employees through appropriate background checks is an important means of preventing computer crimes within the organization g
34

Importance of Information Security Management S it M t

Possible perpetrators include:

IS personnel : These individuals have the easiest access to computerized information, since they are the custodians of this information. In addition to logical access controls, good segregation of duties and supervision help in reducing logical access violations by these individuals

35

Importance of Information Security Management S it M t

Possible perpetrators include:

End users : They have broad knowledge of the information within the organization and have easy access to internal resources Former employees : Be wary of former employees who have left on unfavorable terms, they may still have easy access to internal resources

36

Importance of Information Security Management S it M t

Possible perpetrators include:

Interested or educated outsiders : These may include:
Competitors Terrorists Organized criminals Hackers looking for a challenge Script Kiddies Crackers
37

Importance of Information Security Management S it M t

Possible perpetrators include:

Part time and temporary personnel : Office Part-time cleaners have a great deal of physical access and could perpetrate a crime p p Third parties : Vendors, consultants or other third parties can gain access through projects and could perpetrate a crime Accidental ignorant : Someone who unknowingly perpetrate a violation
38

Importance of Information Security Management S it M t

Security incident handling & response : To minimize damage from security incidents a incidents, formal incident response capability should be established It should include the following :
Planning & p p g preparation Detection Initiation Evaluation
39

Importance of Information Security Management S it M t

It should include the following:

Containment Eradication Response Recovery Closure Post-incident reviews Lessons learnt
40

Importance of Information Security Management S it M t

The organization and management of incident response capability should be coordinated or centralized with the establishment of key roles and responsibilities p This should include :
A coordinator who acts as the liaison to business process owners A director who oversees the incident response capability
41

Importance of Information Security Management S it M t

This should include:

Manager who manages individual incidents Security specialists who detect, investigate, contain and recover from incidents Non-security technical specialists who provide assistance based on subject matter Business unit leader who liaisons between various departments
42

Importance of Information Security Management S it M t

An IS auditor should ensure that there is a formal documented plan which contains response procedures to common security related incidents such as :
Virus outbreak Web defacement Abuse notification Unauthorized access alert from audit trails Hardware/Software theft
43

Importance of Information Security Management S it M t

Security related incidents such as:

Security attack alerts from intrusion detection systems System root compromises Physical security breaches Spyware/Malware/Trojans detected on PCs Fake defamatory information in media Forensic investigations g
44

2008 CISA Review Course CISA

End of Module