Research paper on data breach

srk007

Chapter81.pptx

Home >Information Systems homework help >Research paper on data breach

Security Policies and Implementation Issues

Chapter 8

IT Security Policy Framework Approaches

www.jblearning.com

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Learning Objective

Describe the different methods, roles, responsibilities, and accountabilities of personnel, along with the governance and compliance of a security policy framework.

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Key Concepts

Different methods and best practices for approaching a security policy framework

Importance of defining roles, responsibilities, and accountability for personnel

Separation of duties (SoD)

Importance of governance and compliance

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Information Systems Security Policy Frameworks

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Choosing the framework that works in your organization is not easy

-The one selected will be based on the organizational type, risk, and view from top management

A simplified security policy framework domain model

-Federal Information Security Management act of 2002 (FISMA)

-Committee of Sponsoring Organizations (COSO)

-Control Objectives for Information and related Technology (COBIT) (public organization only as this is for SOX 404)

-ISO 17799 (27002), 20000 (ITIL), NIST, OCTAVE, PCI DSS (if you process payments electronically)

Frameworks are flexible and allow an organization to adopt constructs that fit their overall governance and compliance planning requirements

10/1/2017

Choosing the right framework is not easy

Use a simplified security policy framework domain model

Flexible frameworks fit governance and compliance planning requirements

IT Security Policy Framework Domain Model

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

10/1/2017

Risk IT Framework Process Model

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Roles

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Head of information management

Data stewards

Data custodians

Data administrators

Data security administrators

Roles and Responsibilities

Executive Management

Responsible for governance and compliance requirements, funding, and policy support

Chief Information Officer (CIO)/Chief Security Officer (CSO)

Responsible for policy creation, reporting, funding, and support

Chief Financial Officer (CFO)/Chief Operating Officer (COO)

Responsible for data stewardship, owners of the data

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Roles and Responsibilities (Continued)

System Administrators/Application Administrators

Responsible for custodianship of the data, maintaining the quality of the data, and executing the policies and procedures pertaining to the data, like backup, versioning, updating, downloading, and database administration

Security Administrator

Responsible for granting access and assess threats to the data, IA program

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Committees

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Separation of Duties (SoD)

Layered security approach

SoD duties fall within each IT domain

Applying SoD can and will reduce both fraud and human errors

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Layered security approach

Using layered security provides redundancy of layers, so if one fails to catch the risk, another layer should. Thus, the more layers the better the chance that a risk will be mitigated. However, one must remember that cost and restrictions are also present with each layer deployed

Domain of responsibility and accountability

These SoD duties fall within each individual domain and applying SoD can and will reduce both fraud and human errors

10/1/2017

Information Technology (IT) Security Controls

IT security controls are a function of IT infrastructure that an organization has in its control and the regulatory and business objectives that need to be controlled

You can have too many IT security controls, impeding the organization from operating at optimal capacity, thus reducing its revenue potential

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Information Technology (IT) Security Controls (Continued)

Generic IT security controls as a function of a business model

Deploy a layered security approach

Use SoD approach

This applies to transactions within the domain of responsibility

Conduct security awareness training annually

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Information Technology (IT) Security Controls (Continued)

Apply the three lines of defense model

First line: The business unit

Second line: The risk management team

Third line: Use independent auditors

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Importance of Governance and Compliance

Implementing a governance framework can allow organization to identify and mitigate risks in orderly fashion

Can be a cost reduction move for organizations as they can easily respond to audit requests

A well-defined governance and compliance framework provides a structured approach

Can provide a common language

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Importance of Governance and Compliance (Continued)

Is also a best-practice model for organizations of all shapes and sizes

Controls and risks become measurable with a framework

Organizations with a governance and compliance framework can operate more efficiently

If you can measure the organization against a fixed set of standards and controls, you have won

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Security Policy Framework: Six Business Risks

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Strategic risks is a broad category focused on an event that may change how the organization operates

Compliance risks relate to the impact of the business failing to comply with legal obligations

Financial risks is the potential impact when the business fails to have adequate liquidity to meet its obligations

Operational risks is a broad category that describes any event that disrupts the organization’s daily activities

Reputational risk results from negative publicity regarding an organization’s practices. This type of risk could lead to a loss of revenue or to litigation.

Other risks is a broad category that relates to all other non-IT specific events

10/1/2017

Strategic

Compliance

Financial

Operational

Reputational

Other

Best Practices: Security Policy Framework

Using a risk management approach to framework implementation reduces the highest risk to the organization

ISACA COBIT framework for SOX 404 requirements for publically traded organizations

Aligning the organization’s security policy with business objectives and regulatory requirements

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Best Practices: Security Policy Framework (Continued)

The use of a best practice methodology will best be answered based on organizational requirements and governmental regulations

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

GRC and ERM

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Governance, Risk management, and Compliance (GRC)

A discipline formally bringing together risk and compliance

GRC best practices

ISO 27000 series

COBIT

COSO

Enterprise Risk Management (ERM)

Follows common risk methodologies

Similarities Between GRC and ERM

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Defines risk in terms of business threats

Applies flexible frameworks to satisfy multiple compliance regulations

Eliminates redundant controls, policies, and efforts

Proactively enforces policy

Seeks line of sight into the entire population of risks

10/1/2017

Defines risk in terms of business threats

Applies flexible frameworks

Eliminates redundant controls, policies, and efforts

Similarities Between GRC and ERM (Continued)

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Defines risk in terms of business threats

Applies flexible frameworks to satisfy multiple compliance regulations

Eliminates redundant controls, policies, and efforts

Proactively enforces policy

Seeks line of sight into the entire population of risks

10/1/2017

Proactively enforces policy

Seeks line of sight into the entire population of risks

Differences Between GRC and ERM

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

GRC focuses on technology, a series of tools and centralized policies

ERM focuses on value delivery, takes a broad look at risk based on the adoption driven by the organization’s leadership, and shifts the discussion from what the organization should spend to how the organization spends money mitigating risk

10/1/2017

GRC

Focuses on technology, a series of tools and centralized policies

ERM

Focuses on value delivery

Takes a broad look at risk based on adoption driven by leadership

Case Studies

Hamburger chain

POS

WiFi Hotspot

Edward Snowden

Excessive access

Penetration testing

Adnoc Distribution

Inadequate funding of IT

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Summary

Information systems security policy frameworks and IT security controls

Difference between GRC and ERM

Business risks associated with security policy framework

Roles and responsibilities associated with information systems security policy framework and SoD

Page ‹#›

Security Policies and Implementation Issues