Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS4550 Security Policies and Implementation

Published byAnnice Watts Modified over 6 years ago

Similar presentations

Presentation on theme: "IS4550 Security Policies and Implementation"— Presentation transcript:

1 IS4550 Security Policies and Implementation
Unit 4 Information Systems Security Policy Framework

2 Class Agenda 7/7/16 Lesson Covers Chapter 8 Learning Objectives
5/11/2018 Class Agenda 7/7/16 Lesson Covers Chapter 8 Learning Objectives Lesson Presentation and Discussions. Discussion on Assignments. Discussion on Lab Activities. Break Times as per School Regulations. Try to read the text book before class. Make Up Class for IS4680: Discussion (c) ITT Educational Services, Inc.

3 Learning Objective Describe the different methods, roles, responsibilities, and accountabilities of personnel, along with the governance and compliance of security policy framework.

4 Key Concepts Different methods and best practices for approaching a security policy framework Importance of defining roles, responsibilities, and accountability for personnel Separation of duties (SOD) Importance of governance and compliance

5 EXPLORE: CONCEPTS

6 Information Systems Security Policy Frameworks
Choosing the framework that works in your organization is not easy The one selected will be based on the organizational type, risk, and view from top management A simplified security policy framework domain model Federal Information Security Management act of 2002 (FISMA) Committee of Sponsoring Organizations (COSO) Control Objectives for Information and related Technology (COBIT) (public organization only as this is for SOX 404) ISO (27002), (ITIL), NIST, OCTAVE, PCI DSS (if you process payments electronically) Frameworks are flexible and allow an organization to adopt constructs that fit their overall governance and compliance planning requirements

7 Information Technology (IT) Security Controls
IT security controls are a function of IT infrastructure that an organization has in its control and the regulatory and business objectives that need to be controlled You can have too many IT security controls, impeding the organization from operating at optimal capacity, thus reducing its revenue potential

8 Information Technology (IT) Security Controls (Continued)
Generic IT security controls as a function of a business model Deploy a layered security approach Use SOD approach This applies to transactions within the domain of responsibility Conduct security awareness training annually

9 Information Technology (IT) Security Controls (Continued)
Apply the 3 lines of defense model First line: The business unit Second line: The risk management team Third line: Use independent auditors

10 GRC & ERM Governance, Risk management, and Compliance (GRC)
A discipline formally bringing together risk and compliance GRC best practices ISO series COBIT COSO Enterprise Risk Management (ERM) Follows common risk methodologies

11 Similarities and Differences between GRC and ERM
Defines risk in terms of business threats Applies flexible frameworks to satisfy multiple compliance regulations Eliminates redundant controls, policies, and efforts Proactively enforces policy Seeks line of sight into the entire population of risks Main Similarities GRC focuses on technology, a series of tools and centralized policies ERM focuses on value delivery, takes a broad look at risk based on the adoption driven by the organizations leadership, and shifts the discussion from what the organization should spend to how the organization spends money, in mitigating risk. Main Differences

12 EXPLORE: PROCESS

13 Best Practices-Security Policy Framework
Using a risk management approach to framework implementation reducing the highest risk to the organization The ISACA COBIT framework for SOX 404 requirements for publically traded organizations Aligning the organization’s security policy with business objectives and regulatory requirements

14 Best Practices-Security Policy Framework (Continued)
The use of a best practice methodology will best be answered based on organizational requirements and governmental regulations

15 EXPLORE: ROLES

16 Roles and Responsibilities
Executive Management Responsible for governance and compliance requirements, funding, and policy support Chief Information Officer (CIO)/Chief Security Officer (CSO) Responsible for policy creation, reporting, funding, and support Chief Financial Officer (CFO)/Chief Operating Officer (COO) Responsible for data stewardship, owners of the data

17 Roles and Responsibilities (Continued)
System Administrators/Application Administrators Responsible for custodianship of the data, maintaining the quality of the data, and executing the policies and procedures pertaining to the data, like backup, versioning, updating, downloading, and database administration Security Administrator Responsible for granting access and assess threats to the data, IA program

18 EXPLORE: CONTEXT

19 Importance of Governance and Compliance
Implementing a governance framework can allow the organization to identify and mitigate risks in an orderly fashion This can be a cost reduction move for organizations as they can easily respond to audit requests A well-defined governance and compliance framework provides a structured approach It can provide a common language

20 Importance of Governance and Compliance (Continued)
It is also a best-practice model for organizations of all shapes and sizes Controls and risks become measurable with a framework. Thus, organizations that have a governance and compliance framework can operate more efficiently If you can measure the organization against a fixed set of standards and controls you have won

21 Security Policy Framework-Business Risks
Strategic risks is a broad category focused on an event that may change how the organization operates Strategic risks Compliance risks Financial risks Operational risks Other risks Compliance risks relate to the impact of the business failing to comply with legal obligations Financial risks is the potential impact when the business fails to have adequate liquidity to meet its obligations Operational risks is a broad category that describes any event that disrupts the organization’s daily activities Other risks is a broad category that relates to all other non-IT specific events

22 EXPLORE: RATIONALE

23 SOD Layered security approach
Using layered security provides redundancy of layers, so if one fails to catch the risk, another layer should. Thus, the more layers the better the chance that a risk will be mitigated. However, one must remember that cost and restrictions are also present with each layer deployed Domain of responsibility and accountability These SOD duties fall within each individual domain and applying SOD can and will reduce both fraud and human errors

24 Summary In this presentation, the following were covered:
Information systems security policy frameworks and IT security controls Difference between GRC and ERM Business risks associated with security policy framework Roles and responsibilities associated with information systems security policy framework and SOD

25 Unit 4 Discussion and Assignments
Discussion 4.1 Separation of Duties (SOD) Assignment 4.3 Security Policy Creation

26 Unit 4 Lab Activities Lab is in the lab manual on line Lab 4.2 Craft a Layered Security Management Policy - Separation of Duties Reading assignment: Read chapter 8 and 9

27 Class Project Unit 4: Research on DoD specific requirements, and any problems, or questions - Draft. Deliverables or milestone drafts as specified in the project content will be submitted. Due on Week 11

Download ppt "IS4550 Security Policies and Implementation"

Similar presentations

Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Development of internal control: methodology and responsibility

Development of internal control: methodology and responsibility
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
Chapter 4 Internal Controls McGraw-Hill/Irwin

Chapter 4 Internal Controls McGraw-Hill/Irwin
Chicagoland IASA Spring Conference

Chicagoland IASA Spring Conference
Information Technology Audit

Information Technology Audit
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
Higher Education Solutions 1 Internal Audit for Colleges and Universities By: Wally Wetherill, Regional Industry Partner – East Region John McKay, Supervisory.

Higher Education Solutions 1 Internal Audit for Colleges and Universities By: Wally Wetherill, Regional Industry Partner – East Region John McKay, Supervisory.

Similar presentations

Ads by Google