April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Enforcing Business Rules and Information Security Policies through.

Slides:



Advertisements
Similar presentations
HL7 V2 Implementation Guide Authoring Tool Proposal
Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.
EMS Checklist (ISO model)
Agenda What is Compliance? Risk and Compliance Management
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Singapore February 2001 Promoting Fair and Transparent Regulation in Securities Markets A Presentation to the APEC-OECD Co-operative Initiative on Regulatory.
International Council on Archives Project Principles and Functional Requirements for Records in Electronic Office Environments Adrian Cunningham National.
PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
Cloud computing security related works in ITU-T SG17
Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Bill McClanahan – Principal Business Consultant LPS Integration.
ORGANIZATION. 2 Problem scenario  Develop an organizational chart for your laboratory showing lines of authority from the head of the organization to.
Phone: (919) Fax: (919) CFR Part 11 FDA Public Meeting Comments Presented by: M. Rita.
Requirements Engineering n Elicit requirements from customer  Information and control needs, product function and behavior, overall product performance,
PwC David Devlin 23 April 2002 Auditor Independence in a Global Market Place.
Security Controls – What Works
Information Security Policies and Standards
ISO/IEC Winnie Chan BADM 559 Professor Shaw 12/15/2008.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Fundamentals of ISO.
Internal Auditing and Outsourcing
ISO 9001:2015 Revision overview - General users
Developing Enterprise Architecture
SecureAware Building an Information Security Management System.
Tutorial for SC 32/WG 1 e-Business Standards Prepared for: SC Kunming Plenary Meeting Wenfeng Sun, Convenor ISO/IEC JTC1 SC32 WG1 (eBusiness)
Evolving IT Framework Standards (Compliance and IT)
Continual Service Improvement Process
Basics of OHSAS Occupational Health & Safety Management System
ITIL & COBIT O6PLM Kevin Lisay – Rendy Winarta –
Software System Engineering: A tutorial
Lecture #9 Project Quality Management Quality Processes- Quality Assurance and Quality Control Ghazala Amin.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Implementation Issues of Sarbanes-Oxley CASE Presentation September 23, 2004 By Denise Farnan.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Aviation Security Quality Controls A Blueprint for APEC Economies February 2006.
Holistic Approach to Security
So You Want to Know All About the Changes to ISO 9001 …
Environmental Management System Definitions
The UNIVERSITY of GREENWICH 1 October 2009 L8a Audit and assurance J. E. Spencer-Wood Auditing and assurance Lecture 8a Internal audit.
Software Product Line Material based on slides and chapter by Linda M. Northrop, SEI.
Creating a European entity Management Architecture for eGovernment CUB - corvinus.hu Id Réka Vas
IT Controls Global Technology Auditing Guide 1.
Chapter 9: Introduction to Internal Control Systems
16/11/ Semantic Web Services Language Requirements Presenter: Emilia Cimpian
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
LECTURE 5 Nangwonvuma M/ Byansi D. Components, interfaces and integration Infrastructure, Middleware and Platforms Techniques – Data warehouses, extending.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Security Methods and Practice Principles of Information Security, Fourth Edition CET4884 Planning for Security Ch5 Part I.
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
AUDIT STAFF TRAINING WORKSHOP 13 TH – 14 TH NOVEMBER 2014, HILTON HOTEL NAIROBI AUDIT PLANNING 1.
1 CASE Computer Aided Software Engineering. 2 What is CASE ? A good workshop for any craftsperson has three primary characteristics 1.A collection of.
Information Security Policy
Internal Control Principles
What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.
IIASA Governance Review
Fundamentals of ISO.
Chapter 9 Control, security and audit
Information Governance and Data Privacy: A World of Risk
Employee Privacy and Privacy of Employee Information
An IT Viewpoint Darin Kreimeyer, Senior Manager Newel Linford, Manager
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
DRAFT ISO 10008:2013 Overview Customer satisfaction — Guidelines for business-to-consumer electronic commerce transactions ISO/TC176 TG 01.
Presentation transcript:

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Enforcing Business Rules and Information Security Policies through Compliance Audits Frederick Yip, Pradeep Ray, Nandan Paramesh School of Computer Science & Engineering School of Information Systems & IT Management University of New South Wales Sydney, Australia

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Outline Background – What the industry are doing? Problem – What are the challenges? Motivation – How these challenges motivated the research? XISSF – Compliance Mechanism Limitations & Future Work – Holistic Framework Conclusion

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Background Ever-increasing pressure and responsibilities for organizations to fulfill the requirements enforced by different regulations By actively assessing corporate security compliance base on renowned standards, guidelines and best practices, e.g. CobiT, ISO secure trust and recognitions from customers and business partners US$15.5 Billion in 2005 US$5.8 Billion for Sarbanes Oxley Alone in 2005 Estimated to exceed US$80 billion over the next 5 years on Compliance Spending HIPAA affects organizations that maintain medical health information New! European 8 th Directive – SOX Equivalent in EU – Currently in Draft Mode

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Standards CobiT v3, CobiT v4 Control Objectives for Information and related Technology ISO/IEC17799:2000, ISO/IEC17799:2005 Information technology - Security techniques - Code of practice for information security management AS/NZ17799:2001 Information technology - Code of practice for information security management BSI IT Baseline Protection Manual BS7799, ISO27001 Information Technology - Security Techniques - Information Security Management Systems – Requirement

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales The Problem Multi-regulation 3 out of 4 organizations must comply with 2 or more regulations 43% organizations must comply with 3 or more regulations Too many standards – which one should you use? Regulations Organization Structure Jurisdiction Industry Auditor Standards are different Some overlapping Changes from time to time (versions) Manual Process – Time Consuming Co-ordination and co-operation from Business Units Subjective

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Compliance Process Traditional Checklists Legislation and regulation are ambiguous to IT The need for a common Infosec specification format that can be distributed to other Business Units What about multiple information security standards? The need for a uniform way of checking compliance to policies and best practices The need for a uniform way to report audit and compliance results

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales eXtensible Information Security Specification Format (XISSF) What is it? Common Infosec specification format and platform - not vendor or firm specific Based on XML Textual descriptions of the security clauses or safeguards within Infosec standards are restructured and codified XISSF is capable of: Encapsulating and segregating the clauses extracted from different textual standards Heterogeneous format of clauses from multiple standards can be encapsulated in a single XISSF document. Transportable between business units - across a global business. Express information security specification explicitly – decreases ambiguity. Uniform way of checking compliance to policies and best practices A machine interpretable format for computer-aided assessment on security compliance.

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales XISSF Foundation for providing automated support for compliance audits. Addresses the problem of heterogeneous information security standards Agent can be designed to perform routine and subjective tasks based on XISSF – mobile agents and multi-agents systems. Tags Enclosed weighting metric for each checkpoint in the clauses for audit and assessment purposes. Atomic actionable questions or statements identified as checkpoints. XISSF GROUP CLAUSE GROUP CHECKPOINT OBJECTIVE CHECKPOINT CLAUSE CHECKPOINT OBJECTIVE CHECKPOINT description, weight, required threat type, constraints, pre-requisites, … due, reminder, reference … id, required, role … title, pre-req… description, weight, required threat type, constraints, pre-requisites, …

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Regulations/Standards/Clauses/Checkpoints

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Sample Clause - ISO Information security policy document Control An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. Implementation guidance The information security policy document should state management commitment and set out the organizations approach to managing information security. The policy document should contain statements concerning: a) a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing (see introduction); b) a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives; c) a framework for setting control objectives and controls, including the structure of risk assessment and risk management; …. draft XISSF Sample XISSF - eXtensible Information Security Specification Format. This document defines a list of security specification policies that should be enforced on the organization. This can vary from technical policies to abstract business level processes. ISO17799 International Standard Organization ISO17799: Information security policy document An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. The information security policy document should state management commitment and set out the organizations approach to managing information security. The policy document should contain statements concerning a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing. The policy document should contain statements concerning a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives; …

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Scenario HIPAA

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Limitation & Future Work Preliminary in nature but essential for any future work Checkpoints currently in English – Human Intervention Improve automation Ontology based Schema for each governance standard Application of Concept Learning/Extraction Methodologies for IT Standards Assessment Strategy Based on XISSF Agent Based Compliance Management based on XISSF

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales The Big Picture Interface Agent Interface Agent Involvement

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Conclusion An approach and mechanism to express explicit information security requirements and compliance audits in a codified format. Increase portability especially for global business Provided a foundation to enable computer assisted compliance auditing. Normalization of XISSF decreases redundant compliance tasks and identify conflicts Reduce interaction time in compliance time, improve efficiency Better modularization to segregate compliance tasks Role-based Ability to consolidate and extend multiple & heterogeneous infosec specifications The process of compliance is an important component of ensuring IT security controls are employed and used correctly. It is a continuous effort!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.