1 K P M G L L P A D V I S O R Y Information Security: Policy, Awareness and Training, and Compliance Graham J. Hill IT Advisory Services November 21, 2007.

Slides:



Advertisements
Similar presentations
Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Advertisements

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.
Security Controls – What Works
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Training.
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
The Irish standard for Energy Management – IS393
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Corporate Ethics Compliance *
Session 3 – Information Security Policies
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Preparing Scotland’s first Records Management Plan Ava Wieclawska Records Manager.
Internal Auditing and Outsourcing
Session No. 3 ICAO Safety Management Standards ICAO SMS Framework
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
A NASSCOM ® Initiative Security and Quality Kamlesh Bajaj CEO, DSCI May 23, 2009 NASSCOM Quality Summit Hyderabad 1.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
INFORMATION SECURITY THE NEXT GENERATION 13 th World Electronics Forum Israel Christopher Joscelyne Board Member & Membership Chairman AEEMA November 2007.
A Security Training Program through Transformational Leadership and Practical Approaches Tanetta N. Isler Federal Information Systems Security Educators’
Presenting The Broker-Dealer Certification Tool The Compliance Department Inc. Broker Dealer Compliance Consultants Compliance SCORE Powered by Keane BRMS.
OECD Guidelines on Insurer Governance
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
Basics of OHSAS Occupational Health & Safety Management System
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Enterprise Risk Management (ERM) ABN AMRO Business Unit North America (BU NA) Overview for ERM Committee April 11, 2007.
GRC - Governance, Risk MANAGEMENT, and Compliance
Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.
© Grant Thornton | | | | | Guidance on Monitoring Internal Control Systems COSO Monitoring Project Update FEI - CFIT Meeting September 25, 2008.
Overview:  Different controls in an organization  Relationship between IT controls & financial controls  The Mega Process Leads  Application of COBIT.
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Challenges in Infosecurity Practices at IT Organizations
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA Phone: (703) | FAX: (703) Best.
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
The Third Annual Medical Device Regulatory, Reimbursement and Compliance Congress How to establish a Compliance Program that will Minimize the Impact of.
Developing a Social Media Policy Manish Mandhyan, CRCM, CAMS.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Chapter 9: Introduction to Internal Control Systems
Enterprise Service Management (ESM) An Approach for Adopting and Adapting Best Practice Programs to Manage, Secure and Improve an Organizations Information.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Security Training and Awareness Brad Reed, IT Security Analyst OIT – Information Security Office Securing the University – ITSS 2015.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Chapter 8 Auditing in an E-commerce Environment
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Albany Bank Corporation Security Incident Management Program.
The PL&B Insurance Solution Risk Counselling EPL Education Service Review Safety Wellness Return to Work Legal Compliance Continuity Planning Cyber Liability.
Safety Management Systems Session Four Safety Promotion APTA Webinar June 9, 2016.
Information Security Program
PMO Awareness and Support Presentation
What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.
Data Minimization Framework
Regulatory Compliance
Transforming IT Management
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
IS4550 Security Policies and Implementation
Cyber security Policy development and implementation
MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further
Security Policies and Implementation Issues
Presentation transcript:

1 K P M G L L P A D V I S O R Y Information Security: Policy, Awareness and Training, and Compliance Graham J. Hill IT Advisory Services November 21, 2007

2 Overview Information Security Governance - Policy and Procedure and their Relationship with Training and Awareness Security Awareness and Training Business Drivers Program Framework Compliance Audit and Assessment: Methodology Different types

3 Objectives Gain an understanding of: Relationships between corporate policy and training and awareness The business drivers Manage Risk Promote a culture of awareness Empower employees Protect the Company and its Assets!!! Components of an effective awareness program Assessing or auditing the program

4 The Corporate Information Security Policy The “House Rules” Conveys Senior Management expectations to employees Helps to show Due Diligence in Security Meant to address risk the company faces Address Malicious or non-malicious activity Sets a baseline for behavior Conveys enforcement criteria Sets the stage for development of procedures, standards and guidelines

5 Information Security Policy - Development Considerations in the development of Security Policy: Business Risk Profile Protection of assets (tangible and non-tangible) Legal, Statutory, Regulatory, and Contractual SOX, HIPPA, GLBA, etc., etc., etc, Business Requirements for Information Processing that support operations Inter-connectivity profile IT usage profile Leveraging Industry Accepted Standards: ISO – International Standards Organization CoBIT – Control Objectives for IT NIST – National Institute of Standards for Technology Series (800-50, ) Security Trends in the industry Emerging cyber-threats The “human” factor

6 The Relationship between Corporate Policy and Awareness & Training Business drivers for implementing an awareness program: Communicate policy Explain risks the organization faces Communicate risk mitigation tactics for known threats Social engineering, Phishing/Pharming, Dumpster Diving Address typical security issues in the workplace: Physical security Mobile Devices – PDA’s, Laptops, etc. Acceptable usage Identity Theft!!! Hotlines, Call Trees, Key Internal Contacts Outline employee responsibility and accountability Empower employees!!!

7 Information Security Awareness & Training Always on the move…

8 What is the difference between Awareness, Training, and Education? Characteristics of Awareness – This is the “What” “For your information” Meant for recipient to “recognize and retain” Delivered via sessions, webinars or CBTs, s, incentives, visible marketing materials Short term retention Characteristics of Training – This is the “How” Knowledge and skill Delivered via practical instruction Meant for intermediate retention – training on a specific role Characteristics of Education – This is the “Why” Insight and understanding Delivered via theoretical instruction – study, research Long term retention

9 Just some figures…. Currently, 8 of SANS “Top 20” list end-user Awareness and Training part of the solution A laptop belonging to Fidelity Investments, one of the largest mutual fund companies in the world, was stolen recently Result: The laptop contained financial information on almost 200,000 current and former Hewlett Packard employees….. The Department of Veterans Affairs (VA) recently learned that an employee, a data analyst took home data from the VA, which he was not authorized to do. Result: This resulted in over 26 MILLION veterans having their personal information stolen, including social security numbers and disability ratings when the employee’s home was burglarized. This included one of our Seattle-based Senior Managers

10 Auditing and Assessing Methodology To test the “design” of the program: Analyze the Program Its history and background Ideological foundation – does it reflect the policy, industry standards, regulatory concerns? Its framework – is it following a specific standard or ad hoc? Content The method of accountability – do training recipients sign off? Method(s) of delivery Incorporates Awareness AND Training Awareness, role-based, performance based Is the program curriculum reviewed periodically for relevance?

11 Auditing and Assessing Methodology To test the “effectiveness” of the program: Sample a set of recipients and test their knowledge Did they sign-off? Test the curriculum that is taught Are awareness recipients able to identify threats? Are they able to stop the threat prior to realization? Do they report the attempt?

12 Third-Party Assessments Provide an independent view of the current state of the Security Program Provides a “snapshot in time”, health check Typically leverages accepted Industry Standards (i.e. ISO and ISO 17799/27002) Prioritizes risk areas, provides direction, and provides business case

13 Standards-Based Audits Payment Card Industry (PCI) Compliance Assessment ISO17799/27001 Certification AICPASystrustWebtrustNIST

14 Other Audits and Assessments Vendor and Partner Security Assessments Security in Mergers and Acquisitions Planning an IT Merger Security? Regulatory Compliance?

15 On the Horizon Regulation “Du Joir” Increased legislation for businesses Changes in frameworks and standards Use of automated “performance measurement” tools Integrating security other standards such as ITIL

16 Questions and Comments???

17 Thank you Graham Hill,CISSP, CISM, ITIL Manager, IT Advisory – Information Protection Services KPMG LLP - Seattle, WA

18 References ISO 17799/27001 NIST 800 Series CoBIT v4.0 “A DESIGN THEORY FOR INFORMATION SECURITYAWARENESS”, Petri Puhakainen

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.