The 10 Deadly Sins of Information Security Management

Slides:

Advertisements

Similar presentations

EMS Checklist (ISO model)

Advertisements

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.

Environmental Management System (EMS)

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.

Security Controls – What Works

Information Security Policies and Standards

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Why Managers Must Understand IT Managers play a key role –Frame opportunities and threats so others can understand them –Evaluate and prioritize problems.

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 8: Developing an Effective Ethics Program.

Chapter 10 Managing the Delivery of Information Services.

Implementing and Auditing Ethics Programs

QUALITY, ENVIRONMENTAL AND OCCUPATIONAL HEALTH AND SAFETY POLICY.

Control environment and control activities. Day II Session III and IV.

Internal Auditing and Outsourcing

Adaptive Processes Simpler, Faster, Better 1 Adaptive Processes Understanding Information Security ISO / BS7799.

Gurpreet Dhillon Virginia Commonwealth University

SEC835 Database and Web application security Information Security Architecture.

The Institutionalization of Business Ethics

Evolving IT Framework Standards (Compliance and IT)

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

FORESEC Academy FORESEC Academy Security Essentials (II)

Developing an Effective Ethics Program

Chapter 5 Internal Control over Financial Reporting

Overview:  Different controls in an organization  Relationship between IT controls & financial controls  The Mega Process Leads  Application of COBIT.

Roles and Responsibilities

Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles ® Registered Trademark of ARMA International.

Challenges in Infosecurity Practices at IT Organizations

OUTLINE Introduction Background of Securities Regulation Objective of Securities Regulation Violations under the Securities Industry Law The Securities.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.

Security Management Chao-Hsien Chu, Ph.D.

Holistic Approach to Security

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Environmental Management System Definitions

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

81 8. Managing Human Resources Managing the IS function Centralized control of IS function Distributed control of IS function Federated control of IS function.

FSA - The Financial Supervision Authority Nele Piir, Marge Laan, Kadri Toks.

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

FINANCIAL experts INDUSTRY Some of our clients. Financial translation has become a necessary service, not just within the financial industry but also.

Strategic Approaches to Improving Ethical Behavior

IT GOVERNANCE  Objective : The objective of this area is to ensure that the Certified Information Systems Auditor ( CISA ) candidate understands and can.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal.

Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.

McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.

IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.

What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.

Introduction to Information Security

A Guide for Management. Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control objectives,

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

PRESENTATION TO PORTFOLIO COMMITTEE ON WATER AFFAIRS AND FORESTRY Cindy Damons 28 May 2008 The role of municipalities in managing and giving effect to.

Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

1 Prevention of corruption in the private sector: the view from the Anti-Fraud Office of Catalonia Reducing corruption: focusing on private sector corruption.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

1.  1. Introduction  2. Policy  3. Why Policy should be developed.  4. www policies 2.

Governance, risk and ethics. 2 Section A: Governance and responsibility Section B: Internal control and review Section C: Identifying and assessing risk.

FUNDAMENTALS OF PUBLIC HEALTH Joseph S Duren Lopez Community & Public Health - HCA415 Instructor: Adriane Niare November 10, 2015.

ISO17799 / BS ISO / BS Introduction Information security has always been a major challenge to most organizations. Computer infections.

Chapter 9 Control, security and audit

Sustainability Corporations, Capital Markets and Global Economy.

Chapter 8 Developing an Effective Ethics Program

Cyber security Policy development and implementation

Importance of Law and Policies in the Environmental Management System

Basic Systems Management Employing Security Policies

Presentation transcript:

The 10 Deadly Sins of Information Security Management Basie von Solms & Rossouw von Solms, Computers & Security (23), 371-376, 2004 Presented by Bhavana Reshaboina

Introduction The authors talk about 10 essential aspects to be taken into account when implementing/planning for an information security plan

Information Security Is A Corporate Governance Responsibility Laws and legal requirements emphasize the integration of information security with corporate governance Compromised informational assets can lead to financial and legal implications Top management has to be involved in ensuring the protection of sensitive information

Information Protection Is Not A Technical Issue Alone Securing informational assets is a business issue as much as it is a technical one Information protection is an investment Investment decisions are business decisions

Information Security Governance Is A Multi-dimensional Discipline Various dimensions collectively contribute towards a secure environment Some examples are legal, personnel, technical, ethical, organizational etc Single dimension, product or tool results in lopsided solutions All the important dimensions must be should be taken into account

Information Security Plan Must Be Based On Identified Risks Know what assets need protection Know what are the potential threats If security planning is not based on risk analysis, spends time and money on unclear objectives

Adopting Best Practices For Information Security Governance Learn from the success and failure experiences of others The ‘bread & butter’ aspects of information security are the same in most IT environments Challenge is to ‘Do the right thing at the right time’ Use of documented ‘Standards and Guidelines’ should be the starting point

A Corporate Information Security Policy Is Absolutely Essential Security policy is the heart of any security management plan Starting point and reference on which all other security related sub-policies or standards are based on Must be signed by the top executives of the company

Information Security Compliance Enforcement, Management Essential No use of a perfect security policy if it is not enforced to effect Continuous monitoring is needed to ensure proper compliance ‘That which can be measured can be managed’ Technical and non-technical tools must be used to monitor the policy at real time

Proper Information Security Governance Structure Is Essential Governance structure refers to organizational structure, job responsibilities, communication flow etc Structured chaos is good It brings clarity and accountability in the security management plan

Information Security Awareness Among Users Is Important Users unaware of the security policies and potential risks arising due to their activities render the best security planning ineffective User’s should not be made the weakest link Money spent on user awareness is some of the best money spent on information security

Empower Managers To Support Information Security Information security manager cant run a one man show Necessary infrastructure, tools and supporting mechanisms need to be provided

Conclusions Creating and implementing a proper information security program is based on the understanding of the essential issues unique to IT security Any plan that addresses these core issues would serve to protect the IT assets suitably

Thank You! Questions and comments are welcome