Information Security IBK3IBV01 College 2 Paul J. Cornelisse.

Slides:



Advertisements
Similar presentations
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Advertisements

CIP Cyber Security – Security Management Controls
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Data Ownership Responsibilities & Procedures
Auditing Computer Systems
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Dr. Julian Lo Consulting Director ITIL v3 Expert
Security Controls – What Works
Information Security Policies and Standards
CST 481/598 x.2.  Broad overview of policy material  What is a “process”  Tiers (not tears) Many thanks to Jeni Li.
IS Audit Function Knowledge
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Session 3 – Information Security Policies
UNLV Data Governance Executive Sponsors Meeting Office of Institutional Analysis and Planning August 29, 2006.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Complying With The Federal Information Security Act (FISMA)
Internal Auditing and Outsourcing
Information Asset Classification
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.
Service Organization Control (SOC) Reporting Options and Information
HIPAA PRIVACY AND SECURITY AWARENESS.
15 Maintaining a Web Site Section 15.1 Identify Webmastering tasks Identify Web server maintenance techniques Describe the importance of backups Section.
NIST Special Publication Revision 1
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
Internal Control in a Financial Statement Audit
Chapter 3 資訊安全管理系統. 4.1 General Requirements Develop, implement, maintain and continually improve a documented ISMS Process based on PDCA.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
EFFECT OF CORPORATE IT POLICIES ON OTHERWISE PRIVILEGED COMMUNICATIONS Prepared by Joel P. Hoxie of Snell & Wilmer November 2010 Presented by: Jon Barton.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Our Acceptable Use Policy An Overview What is an Acceptable Use Policy (AUP)?
Information Asset Classification Community of Practicerev. 10/24/2007 Information Asset Classification What it means to employees.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Copyright © 2007 Pearson Education Canada 7-1 Chapter 7: Audit Planning and Documentation.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
ISO/IEC 27001:2013 Annex A.8 Asset management
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Information Security IBK3IBV01 College 1 Paul J. Cornelisse / George Pluimakers.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Classification September 2003© Peltier and Associates, all rights reserved Creating an Asset Classification Methodology ISIG & ISSA September, 2003.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
Red Flags Rule An Introduction County College of Morris
Other Assurance Services
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

Information Security IBK3IBV01 College 2 Paul J. Cornelisse

▸ Information systems and the information processed on them are often considered to be critical assets that support the mission of an organization. Basis

▸ The cost and benefits of information security should be carefully examined in both monetary and nonmonetary terms to ensure that the cost of controls does not exceed the expected benefits. Cost

▸ Information security controls should be appropriate and proportionate. Controls

▸ responsibilities and accountabilities of the ▸ information owners ▸ providers, ▸ and users of computer services and other parties concerned with the protection of information and computer assets should be explicit. R & A

▸ If a system has external users, its owners have a responsibility to share appropriate knowledge about the existence and general extent of control measures so that other users can be confident that the system is adequately secure. External users

▸ As we expand the user base to include suppliers, vendors, clients, customers, shareholders, and the like, it is incumbent upon the enterprise to have clear and identifiable controls. External users

▸ For many organizations, the initial sign-on screen is the first indication that there are controls in place. First sign

▸ It should contain three basic elements: 1.The system is for authorized users only 2.Activities are monitored 3.By completing the sign-on process, the user agrees to the monitoring Basic elements of logon screen

▸ An information security program is more than establishing controls for the computer-held data. More than Just Computer Security

▸ the “paperless office” ▸ To be an effective program, information security must move beyond the narrow scope of IT and address the issues of information security. More than Just Computer Security

▸ Employee Mindset Toward Controls 1.Offices secured 2.Desks and cabinets secured 3.Workstations secured 4.Information secured 5.Electronic media secured More than Just Computer Security

▸ the typical office environment will have a 90% to 95% noncompliance rate with at least one of these basic control mechanisms. ▸ When conducting a review, employee privacy issues must be remembered. More than Just Computer Security

Developing Policies Policy Is the Cornerstone The cornerstone of an effective information security architecture is a well-written policy statement. This is the source from which all other directives, standards, procedures, guidelines, and other supporting documents will spring.

Developing Policies The internal portion tells employees what is expected of them and how their actions will be judged The external portion tells the world how the enterprise sees its responsibilities.

Developing Policies Definitions

Developing Policies Policy A policy is a high-level statement of enterprise beliefs goals objectives and the general means for their attainment for a specified subject area

Developing Policies Standards Standards are mandatory requirements that support individual policies Standards can range from what software or hardware can be used, to what remote access protocol is to be implemented, to who is responsible for approving what

Developing Policies Procedures Procedures are Mandatory step-by-step detailed actions required to successfully complete a task

Developing Policies Guidelines Guidelines are documented suggestions for the regular and consistent implementation of accepted practices

Policy Key Elements To meet the needs of an organization, a good policy should: Be easy to understand Be applicable Be doable Be enforceable Be phased in Be proactive Avoid absolutes Meet business objectives

Developing Policies Policy Format Depends on the policies look and feel in your own organization Content Topic Scope Responsibilities Compliance or Consequences

Developing Policies The three types of policies are 1. Global (tier 1) 2. Topic-specific (tier 2) 3. Application-specific (tier 3)

Developing Policies Global (tier 1) used to create the organization’s overall vision and direction

Developing Policies Topic-specific (tier 2) address particular subjects of concern.

Developing Policies Application-specific policies focus on decisions taken by management to control particular applications (financial reporting, payroll, etc.) or systems (budgeting system)

Developing Policies More on tier 3: Who has the authority to read or modify data? Under what circumstances can data be read or modified? How is remote access to be controlled?

Resume Reason: To provide direction regarding the protection of.... information resources from unauthorized access, modification, duplication, destruction or disclosure

Resume The policy applies to all.... personnel including employees, interns, vendors, contractors, and volunteers The policy pertains to all information resources used to conduct.... business or used to transmit or store.... Restrictedor Confidential information

Developing Policies Information Resource Information Owner Business Owner Information Classification Categories Restricted Confidential Public Reclassification Custodian Users

Developing Policies Information includes, but is not limited to: a. Personally identifiable information (PII) b. Reports, files, folders, memoranda c. Statements, examinations, transcripts d. Images, and e. Communications

Developing Policies Information Owner the Director of a Division where the information resource is created, or who is the primary user of the information resource

Developing Policies Business Owner Where multiple information owners for the same information resource occur, the information owners must designate a Business Owner who will have authority to make decisions on behalf of all the owners of the information resource

Developing Policies Information Classification Categories All information shall be classified by the information owner into one of three classification categories: Restricted Confidential Public

Developing Policies Reclassification the information owner is to establish a review cycle for all information classified as Restricted or Confidential Reclassify it when it no longer meets the criteria established for such information This cycle should be commensurate with the value of the information but should not exceed 1 year

Developing Policies Custodian the individual or entity designated by the information owner that is responsible for maintaining safeguards established by the information owner

Developing Policies Users authorized personnel responsible for using and safeguarding the information resources under their control according to the directions of the information owner

Developing Policies The information owner has the responsibility to a. Identify the classification level of all information resources within their division b. Define and verify implementation of appropriate safeguards to ensure the confidentiality, integrity, and availability of the information resource c. Monitor the safeguards to ensure their compliance and report instances of noncompliance d. Authorize access to those who have a demonstrated business need for the information resource, and e. Remove access to those who no longer have a business need for the information resource

Developing Policies The Custodian has the responsibility to a. Implement integrity controls and access control requirements specified by the information owner b. Advise the information owner of any major deficiency or vulnerability encountered that results in a failure to meet requirements c. Comply with all specific guidelines and procedures to implement, support, and maintain information security

Developing Policies The Users have the responsibility to a. Access only the information for which they have been authorized b. Use the information only for the purpose intended c. Ensure that authenticating information (e.g., password) is in compliance with existing security standards d. Maintain the integrity, confidentiality and availability of information accessed consistent with the information owner’s expectations while under their control e. Comply with all specific guidelines and procedures to implement, support, and maintain Information Security policies and standards f. Report violations or suspected violations of policies and standards to the appropriate management or Information Security Project Manager

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.