© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

Slides:



Advertisements
Similar presentations
Ministry of Public Sector Development Public Sector Development Program Better Government Delivering Better Result.
Advertisements

CFO – MANUFACTURING SECTOR
Auditing, Assurance and Governance in Local Government
IMFO Audit & Risk Indaba June 2012
Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
Control and Accounting Information Systems
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
By Collin Smith COBIT Introduction By Collin Smith
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Managing Risk in Information Systems Strategies for Mitigating Risk
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Information Systems Controls for System Reliability -Information Security-
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Chicagoland IASA Spring Conference
Information Technology Audit
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Self Assessment Feedback Logistics R Us GOLD Member.
DAA and GEP Orlando Audit & Compliance or Audit vs. Compliance.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
Higher Education Solutions 1 Internal Audit for Colleges and Universities By: Wally Wetherill, Regional Industry Partner – East Region John McKay, Supervisory.
Collin County’s Doing More with Less How Collin County’s ITIL Framework has worked to do more with less.
GRC - Governance, Risk MANAGEMENT, and Compliance
Chapter Three IT Risks and Controls.
Copyright T. Rowe Price. All rights reserved 1 Ms. Deborah D. Seidel of T. Rowe Price Financial Services Vice President and Manager of Compliance.
Roles and Responsibilities
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Committee of Sponsoring Organizations of The Treadway Commission Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting “Internal.
Service Oriented Architecture (SOA) at NIH Bill Jones
Auditing Information Systems (AIS)
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved Business Driven Information Systems 2e CHAPTER 1 INFORMATION SYSTEMS IN BUSINESS.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.
APPA - Enterprise Risk Management LCRA’s ERM Journey Presented by JoEllen Peterman, ERM Program Manager September.
Everyone’s Been Hacked Now What?. OakRidge What happened?
Where Do We Go From Here: Risk Management after the Financial Meltdown Kevin McCabe Wells Fargo Audit Services EVP & Chief Auditor FIRMA 24 th National.
Chapter 9: Introduction to Internal Control Systems
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Enterprise Risk Management Dr. Doug Webster, CGFM, PMP Financial Management in Challenging Times May 13, 2009.
TMS - Cooperation partner of TÜV SÜD EFFECTIVE SERVICE MANAGEMENT based on ISO/IEC & ISO/IEC
Risk Management for Small & Medium Sized Enterprises
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Building a Sound Security and Compliance Environment for Dynamics AX Frank Vukovits Dennis Christiansen Fastpath, Inc.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Shared Services and Third Party Assurance: Panel May 19, 2016.
© ITT Educational Services, Inc. All rights reserved. IS4680 Security Auditing for Compliance Unit 1 Information Security Compliance.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
PROGRESS IN IMPLEMENTING e-GOVERNANCE
CPA Gilberto Rivera, VP Compliance and Operational Risk
IS4550 Security Policies and Implementation
IS4680 Security Auditing for Compliance
Chapter 9 Control, security and audit
Internal control objectives
IS4680 Security Auditing for Compliance
Making Information Security Manageable with GRC
COSO Internal Control s Framework
IS4550 Security Policies and Implementation
2017 Administration and Finance Conference
Sarbanes-Oxley Act (404) An IT Viewpoint
IS4680 Security Auditing for Compliance
An IT Viewpoint Darin Kreimeyer, Senior Manager Newel Linford, Manager
COBIT 5 and GRC Date.
Presentation transcript:

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues Lesson 4 IT Security Policy Framework Approaches

Page 2 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Learning Objective  Describe the different methods, roles, responsibilities, and accountabilities of personnel, along with the governance and compliance of a security policy framework.

Page 3 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Key Concepts  Different methods and best practices for approaching a security policy framework  Importance of defining roles, responsibilities, and accountability for personnel  Separation of duties (SoD)  Importance of governance and compliance

Page 4 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: CONCEPTS

Page 5 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Information Systems Security Policy Frameworks Choosing the right framework is not easy Use a simplified security policy framework domain model Flexible frameworks fit governance and compliance planning requirements

Page 6 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Select an Industry Framework

Page 7 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. IT Security Policy Frameworks

Page 8 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. IT Security Policy Frameworks

Page 9 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. IT Security Policy Frameworks Organizations often combine frameworks to draw upon individual strengths.

Page 10 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. IT Security Policy Framework Domain Model

Page 11 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Information Technology (IT) Security Controls  IT security controls are a function of IT infrastructure that an organization has in its control and the regulatory and business objectives that need to be controlled You can have too many IT security controls, impeding the organization from operating at optimal capacity, thus reducing its revenue potential

Page 12 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Information Technology (IT) Security Controls (Continued)  Generic IT security controls as a function of a business model Deploy a layered security approach Use SoD approach -This applies to transactions within the domain of responsibility Conduct security awareness training annually

Page 13 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Information Technology (IT) Security Controls (Continued)  Apply the three lines of defense model First line: The business unit Second line: The risk management team Third line: Use independent auditors

Page 14 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. GRC and ERM Governance, Risk management, and Compliance (GRC) A discipline formally bringing together risk and compliance GRC best practices ISO series COBIT COSO Enterprise Risk Management (ERM) Follows common risk methodologies

Page 15 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Similarities Between GRC and ERM Defines risk in terms of business threats Applies flexible frameworks Eliminates redundant controls, policies, and efforts

Page 16 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Similarities Between GRC and ERM (Continued) Proactively enforces policy Seeks line of sight into the entire population of risks

Page 17 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Differences Between GRC and ERM Focuses on technology, a series of tools and centralized policies GRC Focuses on value delivery Takes a broad look at risk based on adoption driven by leadership ERM

Page 18 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Risk IT Framework Process Model

Page 19 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: PROCESS

Page 20 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Best Practices: Security Policy Framework  Using a risk management approach to framework implementation reduces the highest risk to the organization ISACA COBIT framework for SOX 404 requirements for publically traded organizations  Aligning the organization’s security policy with business objectives and regulatory requirements

Page 21 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Best Practices: Security Policy Framework (Continued)  The use of a best practice methodology will best be answered based on organizational requirements and governmental regulations

Page 22 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: ROLES

Page 23 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Roles Head of information management Data stewardsData custodiansData administratorsData security administrators

Page 24 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Roles and Responsibilities  Executive Management Responsible for governance and compliance requirements, funding, and policy support  Chief Information Officer (CIO)/Chief Security Officer (CSO) Responsible for policy creation, reporting, funding, and support  Chief Financial Officer (CFO)/Chief Operating Officer (COO) Responsible for data stewardship, owners of the data

Page 25 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Roles and Responsibilities (Continued)  System Administrators/Application Administrators Responsible for custodianship of the data, maintaining the quality of the data, and executing the policies and procedures pertaining to the data, like backup, versioning, updating, downloading, and database administration  Security Administrator Responsible for granting access and assess threats to the data, IA program

Page 26 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Committees

Page 27 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: CONTEXTS

Page 28 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Importance of Governance and Compliance  Implementing a governance framework can allow organization to identify and mitigate risks in orderly fashion Can be a cost reduction move for organizations as they can easily respond to audit requests  A well-defined governance and compliance framework provides a structured approach  Can provide a common language

Page 29 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Importance of Governance and Compliance (Continued)  Is also a best-practice model for organizations of all shapes and sizes  Controls and risks become measurable with a framework Organizations with a governance and compliance framework can operate more efficiently  If you can measure the organization against a fixed set of standards and controls, you have won

Page 30 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policy Framework: Six Business Risks StrategicComplianceFinancial OperationalReputationalOther

Page 31 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Business Risks

Page 32 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: RATIONALE

Page 33 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Separation of Duties (SoD)  Layered security approach  SoD duties fall within each IT domain  Applying SoD can and will reduce both fraud and human errors

Page 34 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Layered Security Approach A Layered Security Approach mean having two or more layers of independent controls to reduce risk. Layered security leverages the redundancy of the layers so if one layer fails to catch the risk or threat, the next layer should.

Page 35 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Summary Different methods and best practices for approaching a security policy framework Importance of defining roles, responsibilities, and accountability for personnel Separation of duties (SoD) Importance of governance and compliance

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.