IT Security Requirements

Slides:



Advertisements
Similar presentations
Organizational Governance
Advertisements

Learning Outcome 2 Working practices.
Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Vision: A strong and capable civil society, cooperating and responsive to Cambodias development challenges 1.
Child Safeguarding Standards
Purpose & Values Purpose:
Development of internal control: methodology and responsibility
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
PUBLIC SECTOR INTERNAL AUDIT IN THE REPUBLIC OF LITHUANIA Mr. Jonas Vaitkevičius Head of Internal Audit and Financial Control Methodology and Monitoring.
PwC David Devlin 23 April 2002 Auditor Independence in a Global Market Place.
Security Controls – What Works
Information Security Policies and Standards
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Information Systems Security Officer
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 8: Developing an Effective Ethics Program.
Quality evaluation and improvement for Internal Audit
Implementing and Auditing Ethics Programs
Quality Management.
Stephen S. Yau CSE , Fall Security Strategies.
What are the challenges of implementing ISSAIs in NAO of Estonia? Krista Zibo Audit manager of Financial Audit Department Meeting of Experts of SAIs of.
THE PRINCIPLES OF QUALITY MANAGEMENT. DEFINING QUALITY Good Appearance? High Price? The Best? Particular Specification? Not necessarily, but always: Fitness.
Control environment and control activities. Day II Session III and IV.
Information Security Training for Management Complying with the HIPAA Security Law.
Evolving IT Framework Standards (Compliance and IT)
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.
States and Government Companies Murilo Barella Brasília – 12 Março 2013.
Home. Copyright © by The McGraw-Hill Companies, Inc. All rights reserved.Glencoe Accounting The accounting profession requires its members to follow a.
Developing an Effective Ethics Program
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
13.6 Legal Aspects Corporate IT Security Policy. Objectives Understand the need for a corporate information technology security policy and its role within.
The investment process – & documents in the process.
FOURTH EUROPEAN QUALITY ASSURANCE FORUM "CREATIVITY AND DIVERSITY: CHALLENGES FOR QUALITY ASSURANCE BEYOND 2010", COPENHAGEN, NOVEMBER IV FORUM-
IT Incident Response The goals How to achieve this Policies Standards Architecture People Process & Technology What can we really.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Chapter Three. Ethics – the study of what constitutes right or wrong behavior Business ethics – what constitutes what is right or wrong behavior in the.
Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.
ISSAI 400 Compliance Auditing
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
Copyright © 2007 Pearson Education Canada 7-1 Chapter 7: Audit Planning and Documentation.
Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
ISO Registration Common Areas of Nonconformances.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
Slide 1 Federation des Experts Comptables Méditerranéens 4 th FCM Conference Capri, 3-4 May 2004 The Globalisation of Small and Medium-sized Enterprises.
Chapter 8 Auditing in an E-commerce Environment
Internal/External Audit Corporate Governance part 5.
Vienna 14 March 2006 Andrew J. Popham Vice-President of FEE Partner, PricewaterhouseCoopers LLP The New Directive on Statutory Audit in the EU.
Chapter 1 Ethical Hacking Overview. Hands-On Ethical Hacking and Network Defense2  Describe the role of an ethical hacker  Describe what you can do.
LATVENERGO GROUP COMPLIANCE AND FRAUD RISK MANAGEMENT Kristine Arensone Compliance officer
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Copyright © Houghton Mifflin Company. All rights reserved.8-1 Chapter 8 Developing an Effective Ethics Program.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Every employer must ensure, as far as is reasonable practicable, the health, safety and welfare of all his employees More specifically, employers must.
Governance, Risk and Ethics. 2 Section A: Governance and responsibility Section B: Internal control and review Section C: Identifying and assessing risk.
Section 4 Policies and legislation AQA ICT A2 Level © Nelson Thornes Section 4: Policies and Legislation Legislation – practical implications.
What is ISO Certification? Information is a valuable asset that can make or break your business. When properly managed it allows you to operate.
Overview of Standards on Cost Auditing By: CMA Pradip H.Desai.
The accounting profession requires its members to follow a code of ethics.
Embedding the golden threads that lead to quality care every time……
GS-R-3 vs. ISO 9001:2008 Requirements - 4
Learn Your Information Security Management System
Chapter Three.
Fundamentals of Ethics
Introduction to the Federal Defense Acquisition Regulation
Training Course on Integrated Management System for Regulatory Body
Information Security based on International Standard ISO 27001
Unit 7 – Organisational Systems Security
Welcome Back Glencoe Accounting.
Chapter 8 Developing an Effective Ethics Program
Presentation transcript:

IT Security Requirements Protection requirements Safeguards Controls Preventive (before) Detective (during) Corrective (after)

IT Security ”Catalogue” for Controls Suitable (reasonable) set of Security Requirements Standard ISO/IEC 17799 (BS 7799-1) International Standard ”De Facto” standard ISF (Information Security Forum) Standard of Good Practice (Information Security) Guidelines ISO/IEC TR 13335, 1-5 International Technical Reports Certification (a possibility) BS 7799 – 2 Specifies a necessary minimum of Security Requirements

Level of requirement (Terminology) Should (Shall) Must Ought In reading or in writing?

IT Security requirements Law (invariable) National and International Regulation Rules Standard Policy Guidance - Guidelines Procedure Instruction (Manual operation)

Who specifies the IT Security Requirements Who specifies the IT Security Requirements ? (Invariable demand or not …) External (Requirement from outside) Law (Legal aspect, Legislation) - ”Breaking the rule is punishable” Departmental order Requirements from business partners Certification Customer agreements Internal More or less related to Standards ISO/IEC 17799, ISF, DS-484 (Danish Norm) - Instans Management Team / business needs Risk Assessment IT Security Policy IT Security Guidelines (hierarchy) Informal Ethics Code of ethics Valuable property

IT Security Policy Use for Signal to business partners and employees Responsible (Create, update, create awareness) IT Security Manager Approved Board of directors Relation to Businesss Strategy Characteristics High abstract language, non technical and max 2 pages Content We shall …. Example follows ISF Standard of Good Practice Apply to IT Security Guidelines Type of document Official (should be) but can be kept secret from the public

IT Security Guidelines Use for Directions of employees Responsible (Create, update, create awareness) IT Security Manager in co-operation with the people who need the guideline Approved Executive management Relation to IT Security Policy Characteristics More concrete language in use for users or technical part Content We shall for network dial-up solutions …. Allways use strong authentication with one-time-password generator Apply to IT Instruction or procedure Type of document Keep secret for public

Network Security Policy (Guideline) Use for Keep the focus on security in the network Responsible (Create, update, create awareness) IT Security Manager in co-operation with the network team Approved Executive management / IT management Relation to IT Security Policy Characteristics More concrete language use for technical part Content We shall protect our Intranet as if it is the Internet We shall allways use Switch-to-the-desktop on the LANs Apply to Network instruction or procedure Type of document Keep secret for public

Creating IT Security Guideline Choose one guideline from ISF Example CN23 Just follow ”The One and only” Choose three guidelines from ISF Example CN23+CB53+SM54 ”Shake up” the three guidelines an create your own Make do the new guideline more concrete Do something different ?

In the ”real” world Documentation use for Priority State Quality arrangement Homogeneity in the way of doing things Priority Written guidelines (Easy to see what the staff do) Verbal guidelines to follow (Praxis should be in accordance with what the staff tell you) Nothing (A problem) State Guidelines Reality (the guidelines ”wont” be used ?) Be granted an exemption from the IT Security department Important to find a balance between what you create of paperworks, documentation and what will be used in the future

IT Security level Relative (?) A Company can choose to Live up to Choose a satisfactory level of IT Security (trust?) A Company can choose to Live up to Guidance ISO/IEC 17799-1 ISF DS 484-1 Certification BS 7799-2 DS 484-2 Result ISF - ”the solution” < Some point to be addressed (goal for the auditor) ISF - ”the solution” = Satisfactory ISF - ”the solution” > Better than ISF (maybe the company decision)

Evolution (obsoleted and new) Who should take care? Standards BS7799 will soon come in a new version IT Security Policy How to handle the relation to IT Security Guidelines?

IT Security Organisation Corporate level IT Security Officier Normally responsible for one or more IT Security Managers Company IT Security Manager Normally refer to board of directors in the Compagny Responsible for IT Security Department IT Security Consultant Staff in the IT Security Department IT Security Co-ordinator Replacement for IT Security Manager Department Line managers in general are responsible for security within their areas IT Security Responsible Example a staff in the Network Department responsible for the firewall system Employees To be trained for IT Security Awareness

Auditing and the Auditors Who controls the controls and why? IT and financial auditors (Internal and External) There is a need for current audit because the solutions will always ”sand up” Who are using the auditors and why? Board of directors Prosecution if something is going wrong The Company Accountants Shareholders (Stockholders) When convincing the Business Partners and Customers Prove that the IT Security level is satisfactory Declaration (Yearly Statement) Business partners The public