Connect communicate collaborate Managing Information Security while enabling communities Kenneth Høstland (CISA, CRISC), UNINETT TNC 2011 Prague, 16 May.

Slides:



Advertisements
Similar presentations
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
Security Controls – What Works
Information Security Policies and Standards
Efficiency and security of the Norwegian National Health Network Janicke Weum Halvor Bjørnsrud Office of the Auditor General of Norway Beijing, April 2010.
Computer Security: Principles and Practice
Internal Auditing and Outsourcing
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Developing Enterprise Architecture
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
Postgraduate Educational Course in radiation protection and the Safety of Radiation sources PGEC Part IV The International System of Radiation Protection.
Security Policies Jim Stracka The Problem Today.
Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October
The Challenge of IT-Business Alignment
Presented by : Miss Vrindah Chaundee
Audit of predetermined objectives Presentation: Portfolio Committee on Economic Development March 2013.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
ITIL Framework. What is ITIL ? ITIL stands for the Information Technology Infrastructure Library. ITIL is the international de facto management framework.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Chapter 8 Auditing in an E-commerce Environment
2/20/2016 Leveraging IT Governance and COBIT Chip Council, PhD, CGEIT, CISM, CISA Matt Schmidt, MS, CISSP, CISA Adjunct Professors, University of Minnesota.
Getting to Grips with CobiT – Enterprise Architecture, a conseptual approach to IT Covernance or how to understand the difference between IT Governance.
1 QUALITY MANAGEMENT SYSTEM PRESENTATION TO BOTSWANA DRUG ADVISORY BOARD MEMBERS 13 th – 17 th AUGUST 2007.
How Good are you at Managing your Processes? Operational Excellence.
Driving Value from IT Services using ITIL and COBIT 5 July 24, 2013 Gary Hardy ITWinners.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Internal Audit Agency Integrity + Professionalism INTERNAL AUDIT AGENCY ISACA Presentation 15 July, 2013 Alisa Hotel, ACCRA.
What is ISO Certification? Information is a valuable asset that can make or break your business. When properly managed it allows you to operate.
Primary Steps for Achieving ISO Certification.
On completion of the scenario, students will be able to: Learning Outcomes 1 Critically analyse and prioritise information security risks. 2 Systematically.
(3.6) General requirements on resources for the establishment of IMS
Information Security Policy
Making the Connection ISO Master Class An Overview.
An Overview on Risk Management
Security measures deployed by e-communication providers
Audit of predetermined objectives
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
Disaster and Emergency Planning
IS4550 Security Policies and Implementation
Overview of IT Auditing
Integrated Management Systems
Document Evaluation Process May 2005 Revision
Learn Your Information Security Management System
CIGFARO ANNUAL CONFERENCE – 11 OCTOBER 2017
Software Configuration Management
Predetermined Objectives – 2013/14
Prepared by Rand E Winters, Jr. ASR Senior Auditor October 2014
Business – IT Alignment
Fundamentals of ISO.
Training Course on Integrated Management System for Regulatory Body
INTRODUCTION TO ISO 9001:2015 FOR IMPLEMENTATION Varinder Kumar CISA, ISO27001 LA, ISO 9001 LA, ITIL, CEH, MEPGP IT, Certificate course in PII & Privacy.
Technology Audit Plan ----BCSY University
AAHRPP Accreditation Welcome to the University of Georgia’s presentation for accreditation of the human research protection program (HRPP). This presentation.
IS4550 Security Policies and Implementation
Alignment of COBIT to Botswana IT Audit Methodology
IS4550 Security Policies and Implementation
Information Security Risk Management
Predetermined Objectives – 2013/14
Assessment Workshop Title of the Project (date)
Cyber security Policy development and implementation
Safety Management System Implementation
MODULE B - PROCESS SUBMODULES B1. Organizational Structure
Engineering Processes
COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by.
Taking the STANDARDS Seriously
Define Your IT Strategy
Closing event 16th July 2019 Technical Assistance for Establishing the Institutional Framework for the Implementation of AIS/AES Project funded by the.
Presentation transcript:

connect communicate collaborate Managing Information Security while enabling communities Kenneth Høstland (CISA, CRISC), UNINETT TNC 2011 Prague, 16 May 2011

connect communicate collaborate Overview 1.Background 2.Information security and its drivers 3.IS Audit 4.General experience of higher education sector 5.Security Policy 6.Further work 2

connect communicate collaborate Background UNINETT have done a lot of work with Norwegian higher education institutions on technical security for many years The IT departments are de facto responsible for Information security, and the solutions have evolved from an exclusively technical point of view No clear strategy and no specific goals for information security. The lack of involvement and commitment from the upper management has lead to the implementation of arbitrary security measures in many organisations. 3

connect communicate collaborate UNINETT has added focus on information security and policy for the Norwegian higher education sector UNINETT has prepared a "package“ including IS Audit Security Policy, including "basic package" Options: Routines and procedures Risk and vulnerability Assessments Business Continuity Plans (BCP) Background 4

connect communicate collaborate IT governance – our focus IT Governance is the glue between business processes and involved IT support functions, and in the same time the structure of the IT function itself 5

connect communicate collaborate Systematic use of information security management system (ISMS) to protect business information and information systems, physical security and personnel security. Confidentiality (information is only available to those who should have access) Integrity (information is accurate and complete) Availability (information is available within the requirements set) What is Information Security? Risks - in general Conditions or events may occur and affect the achievement of objectives. Frequency and severity All information systems have vulnerabilities that can be exposed to threats. 6

connect communicate collaborate Drivers for information security Regulatory requirements Business requirements Actual threats Technology 7

connect communicate collaborate One-day on-site audit / review Start-up meeting with executive/top management (Important!) Interviews with key personnel Review of the received documentation Prepare report IS Audit 8

connect communicate collaborate A typical agenda for IS Audit / Security Assessment

connect communicate collaborate Prerequisite The key? Management involvement 10

connect communicate collaborate Three core areas ISO 27001/27002: Strong on security, but does not say how it should work Control Objectives for Information and Related Technology (COBIT) by ISACA: Strong in IT controls and parameters, and security. Provides alignment between business goals/financial goals objectives and planning of policy, procedure and process for IT Information Technology Infrastructure Library (ITIL): Strong in IT processes, but limited in security and system development. ITIL is focused on Service Delivery. 11

connect communicate collaborate Regulatory drivers – Personal Data Act § /Norwegian Personal Data Act - Section 13 Data security The confidentiality, integrity and accessibility of personal data shall be ensured by means of planned and systematic measures, satisfactory data. The data systyem and the security measures shall be documented.  Policy 12

connect communicate collaborate Regulatory drivers – EU directives Within EU the following directives regulate many aspects related to information security: Directive 95/46/EC (Data Protection Directive) Directive 2002/58/EC (the E-Privacy Directive) Directive 2006/24/EC Article 5 (The Data Retention Directive) 13

connect communicate collaborate Regulatory drivers – Personal Data Act § / Section 13 Data security The controller and the processor shall by means of planned, systematic measures ensure satisfactory data security with regard to confidentiality, integrity and accessibility in connection with the processing of personal data. To achieve satisfactory data security, the controller and processor shall document the data system and the security measures. Such documentation shall be accessible to the employees of the controller and of the processor. The documentation shall also be accessible to the Data Inspectorate and the Privacy Appeals Board.  Policy 14

connect communicate collaborate Benefits of an structured approach Provides an essential overview of the risks Reduces the risk of adverse events ( Discrepancies ) Identify appropriate control measures, which should be:  cost-effective  easy to manage  easy to implement  meet the security requirements  Helping to secure what is important! A structured approach to security, based on relevant policies and procedures, helps the institution achieve its goals! 15

connect communicate collaborate Trends Information is more valuable than ever Networks are critical infrastructure more and more business critical ID theft Attacks faster than patches (zero day) end-users represent a risk targeted attacks organized crime The relevant threats are identified through risk assessment Drivers – threats and vulnerabilities 16

connect communicate collaborate Typical IS audit conclusions The technical security of the existing solutions is mostly satisfactory, and provides relevant security against traditional threats. A Data Inspectorate audit would have resulted in clear orders that would have to be fulfilled within six months in line with the recommendations in our report. Some essential governing documents are missing, e,g. o security policy (incl. security objectives and strategy), o IT strategy o continuity and contingency plans for IT. Outsourcing contracts are inadequate with respect to information security, including missing SLA. i.e – “The terrain can be good - but the map is missing” 17

connect communicate collaborate Experiences from the sector Computers stolen Information astray ID theft Internal information published Loss of reputation Unavailability of Administrative systems Security and risk level is set at a low level in the organizational activities -> leads to "Armoured steel doors In a picked fence“ 18

connect communicate collaborate IS Audit: Overall recommendations Establish Security Policy based on ISO 27002, and implement it, including a selection of procedures. Establish the role of Chief Security Officer (CSO) and formally anchor the responsibility for information security in senior management. Perform risk assessment of systems with personal data with respect to confidentiality, integrity and availability. Develop an overview of the Personal Data that are processed Establish a satisfactory security architecture based on the concept of security levels Develop BCP (Business Continuity and Contingency Plans) for ICT infrastructure. 19

connect communicate collaborate Information security in perspective Security is: 80 % attitudes, knowledge, regulative measures, is controlled through  Policy 20 % tecnology, is controlled through  Policy, IT-strategy PEBKAC “Good IT security starts and ends with individuals, not with firewalls, antivirus or IDS systems. One rotten apple can destroy a whole box in no time, and an apple with the crumbling decay rapidly” (Helge Skrivervik, myMAYDAY.com). 20

connect communicate collaborate Appropriate security? 21

connect communicate collaborate What is ISO 27001/27002? ISO’s standard for information security management system (ISMS) ISO specifies how to design a management system for Security (ISMS) ISO is a Code of practice for information security, and define what an ISMS should include 22

connect communicate collaborate ISO

connect communicate collaborate ISO in all its cruelty Some of the contents … 24

connect communicate collaborate Security put in system Inspectorate often get questions about how the company l can adapt to the Data Inspectorate's requirements for information security. Among other ¸it is Asked about the relationship with ISO standards. The regulation is based on ISO standards. Chapter 2 of the Personal Data Regulations (The Information Security chapter) is based on and have the same systematics as the ISO standard The standard is more exhaustive and is another useful tool for enterprises. The standard series consist of two parts. The first part is translated into Norwegian. The standard can be obtained by contacting Pronorm. 25

connect communicate collaborate Security with a system – document structure Why What How 1) Security Policy defines the goals, purpose, responsibility and overall requirements. Governing document 2) Guidelines for information security. Defines what should be done to comply with the established policy. Governing document – ISO 27k structure 3) Standards and procedures Contain detailed guidelines for the implementation of security. Accomplishing and controlling documents 26

connect communicate collaborate Basic requirements for policy A security policy must be possible to implement and enforce be concise and easy to understand balance protection with productivity express why it is established describe what it covers define the responsibilities and contact points specify how the violations will be handled 27

connect communicate collaborate Roadmap - implementing policy Process for implementation of security policy 1.Draft of policy before workshop → version Policy workshop → version Internal treatment in the management → version Approval of the Board → version Policy comes into force; publishing, information, training 4.Revision Process for 6-12 months CSO is the process responsible, IT director is secretary 28

connect communicate collaborate Achieved results Our achivements in the sector include Phase I: 85% of the institutions covered with IS Audit 60% of the institutions have implemented IS Policy Phase II Assisting the institutions with Risk assessments Business Impact Assessments Developing BCP Remember: Security is not difficult, but challenging. It is not a project but a process. And it never ends, but is continuously evolving.(Helge Skrivervik – myMAYDAY.com) 29

connect communicate collaborate A methodical approach to Information security … a risk-controlled approach … 30

connect communicate collaborate At last

connect communicate collaborate THANK YOU FOR YOUR ATTENTION! Questions? 32

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.