ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks
Governance Framework – specify how to do security planning and implementation Multiple framework exists CobIT ISO/IEC COSO
Why are IT Security Frameworks needed? Sarbanes-Oxley Act of 2002 (SOX) Section 404 – public companies must use an internal control framework and perform annual assessments No specific framework is required PCAOB Audit Standard No. 2 A control framework should be used to test the effectiveness of accurate financial reporting Information can be the most valuable asset a company has
COBIT & ISO FAMILY Two Popular IT Security Frameworks
CobIT Control Objectives for Information and Related Technology Developed in conjunction with the “Big Four” accounting firms Published by the IT Governance Institute Broad framework to implement IT controls
CobIT Focuses on four areas of control Planning and Organization (Plan) Acquisition and Implementation (Do) Delivery and Support (Check) Monitoring (Correct) 34 high level control objectives 318 detailed control objectives
CobIT Maturity Model Tool for management to go through the company’s current IT process and determine if they are effective or non-existent Assists in determining which areas require more effort Once the environment has been assessed, management can develop: Critical success factors Key performance indicators Key goal indicators
CobIT Plan and Organize Necessary to ensure objectives of “Acquire & Implement” and “Delivery & Support” are met Establish the corporate vision Determine level of acceptable risk Focuses on the best way to implement the IT structure
CobIT Plan and Organize Control Objectives 1. PO1 – Define a strategic IT plan 2. PO2 – Define the information architecture 3. PO3 – Determine technological direction 4. PO4 – Define the IT processes, organization, and relationships 5. PO5 – Manage the IT investment 6. PO6 – Communicate management aims and direction 7. PO7 – Manage IT human resources 8. PO8 – Manage quality 9. PO9 – Assess and manage IT risks 10. PO10 – Manage projects
CobIT Acquire and Implement After planning is completed, the company must determine how to implement the new internal control process Can involve acquiring new technologies
CobIT Acquire and Implement Control Objectives 1. AI1 – Identify automated solutions 2. AI2 – Acquire and maintain application software 3. AI3 – Acquire and maintain technology infrastructure 4. AI4 – Enable operation and use 5. AI5 – Procure IT resources 6. AI6 – Manage changes 7. AI7 – Install and accredit solutions and changes
CobIT Deliver and Support Controls cost Guarantees the three initiatives of confidentiality, availability, and integrity are in place Ensures new controls are maintained
CobIT Deliver and Support Control Objectives 1. DS1 – Define and manage service levels 2. DS2 – Manage third party services 3. DS3 – Manage performance and capacity 4. DS4 – Ensure continuous service 5. DS5 – Ensure systems security 6. DS6 – Indentify and allocate costs 7. DS7 – Educate and train users 8. DS8 – Manage service desk incidents 9. DS9 – Manage the configuration 10. DS10 – Manage problems 11. DS11 – Manage data 12. DS12 – Manage the physical environment 13. DS13 – Manage operations
CobIT Monitor and Evaluate Measures if the controls implemented are sufficient Assurance that the company is meeting regulatory requirements Attends to the issue of ongoing evaluation
CobIT Monitor and Evaluate Control Objectives ME1 – Monitor and evaluate IT performance ME2 – Monitor and evaluate internal controls ME 3- Ensure compliance with external requirements ME4 – Provide IT governance
CobIT Broad framework, covering a large range of internal controls Does not give specific ways to make the companies information more secure
ISO Series Issued by the International Standards Organization Popular globally, used by companies within the US and those abroad Includes multiple standards 27008
ISO Series ISO “Specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented Information Security Management System.” ISO ISO Focuses on information security and lists controls and control mechanisms which can be implemented to comply with ISO 27001
ISO Series ISO Covers 11 main areas of information security management 1. Security Policy – creating policies based on the organization’s needs 2. Organization of Information Security – managing of the security infrastructure 3. Asset Management – assigning responsibility for assets & physical security of the assets 4. Human Resource Security – personnel screening, code of conduct, training, and a process to address violations 5. Physical & Environmental Security – analyzing the environment, securing physical perimeter, and appropriate controls
ISO Series ISO Communications and Operations Management - ensures correct and secure operations of assets 7. Access Control – “Properly protect access to an organization’s information, such as controls required to combat hacker attempts and other malicious attempts to access organization networks and information.” –Wallace 8. Information Systems Acquisition, Development, & Maintenance – discusses security requirements needed 9. Information Security Incident Management – plan for reporting and managing security events, incidents, and weaknesses
ISO Series ISO Business Continuity Management – plans to address disruptions in normal operations and ongoing reassessment of plans 11. Compliance – “is intended to ensure that the organization avoids breaches of any criminal or civil law, as well as any statutory, regulator or contractual obligations, and of any security requirements.” - Calder
ISO Series If all controls are implemented properly the company with be in compliance with SOX (in regards to IT security) Focuses solely on IT security
CobIT vs. ISO Series Compare Both relate to IT controls Created based on past experience Continuously refined Contrast CobIT is a broad framework on how to implement internal controls ISO focuses exclusively on IT security Combination of CobIT & ISO provides an organization the best IT security.
ISO and CobIT Mapping IT Governance institute has created a mapping between ISO and CobIT Links ISO control objectives to each dimension in the CobIT framework Results in a framework is high level enough to be integrated with IT governance and overall corporate governance Also detailed enough to provide mangers with the necessary steps to implement these controls
ISO and CobIT Mapping CobIT: Deliver & Support 5.2 Relates to identification, access, and authorization “The logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication and authorization mechanisms, linking users and resources with access rules.” (IT Governance, COBIT Mapping)
ISO and CobIT Mapping ISO objectives (listed in parenthesis next to detail below) state exactly what should be done to meet the requirements of COBIT DS5.2 Access of third parties should be controlled (4.2). Adequate privilege management should be included in application systems. Authorizations should be documented and follow a defined process (9.2.2). Passwords should be used for authentication. Passwords should be given to identified users in a secure manner and not in unprotected electronic mail messages (9.2.3). Access controls to internal and external networked services should be in place (9.4).
ISO and CobIT Mapping User authentication for external connections should be controlled. Access restrictions should be based on a risk assessment. Authentication should consider hardware tokens, challenge/response protocols, dial-back or other mechanisms (9.4.3). Authentication mechanisms should be based on node authentication, if applicable (9.4.4). Access controls (e.g., key locks) should ensure that only required access can be obtained. This should include procedures and arrangements (9.4.5). Special access controls should be in place for shared networks (9.4.7). Identity should be verified as part of operation system access control. Identification of the user’s location should be considered (9.5).
ISO and CobIT Mapping Connection to specific locations should be based on automatic terminal identification, when appropriate (9.5.1). Requirements for terminal logon procedures (e.g., maximum number of unsuccessful logon attempts) provided in the ISO standard should be considered (9.5.2). A unique user ID should be required for all individuals. Users’ privileges should not be identifiable by the user ID. A shared user ID should be used only when a clear business case exists. Identification and authentication can be based on passwords, biometric technologies or a combination of technologies (9.5.3). A good password management system raises the quality of passwords and should be implemented. Requirements for password management systems are provided in the ISO standard (9.5.4). Access should be ended after defined time-out delay. Alternatively, screen savers that prevent unauthorized access to terminals can be used (9.5.7).
Conclusion SOX strong focus on internal controls has required organizations to implement an IT governance framework Companies must review and report on internal controls with management and external auditors A combination of CobIT and ISO series is the best way to ensure compliance