Presentation is loading. Please wait.

Presentation is loading. Please wait.

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Enforcing Business Rules and Information Security Policies through.

Published byKatelyn Lowe Modified over 10 years ago

Similar presentations

Presentation on theme: "April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Enforcing Business Rules and Information Security Policies through."— Presentation transcript:

1 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Enforcing Business Rules and Information Security Policies through Compliance Audits Frederick Yip, Pradeep Ray, Nandan Paramesh School of Computer Science & Engineering School of Information Systems & IT Management University of New South Wales Sydney, Australia

2 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Outline Background – What the industry are doing? Problem – What are the challenges? Motivation – How these challenges motivated the research? XISSF – Compliance Mechanism Limitations & Future Work – Holistic Framework Conclusion

3 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Background Ever-increasing pressure and responsibilities for organizations to fulfill the requirements enforced by different regulations By actively assessing corporate security compliance base on renowned standards, guidelines and best practices, e.g. CobiT, ISO17799. secure trust and recognitions from customers and business partners US$15.5 Billion in 2005 US$5.8 Billion for Sarbanes Oxley Alone in 2005 Estimated to exceed US$80 billion over the next 5 years on Compliance Spending HIPAA affects organizations that maintain medical health information New! European 8 th Directive – SOX Equivalent in EU – Currently in Draft Mode

4 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Standards CobiT v3, CobiT v4 Control Objectives for Information and related Technology ISO/IEC17799:2000, ISO/IEC17799:2005 Information technology - Security techniques - Code of practice for information security management AS/NZ17799:2001 Information technology - Code of practice for information security management BSI IT Baseline Protection Manual BS7799, ISO27001 Information Technology - Security Techniques - Information Security Management Systems – Requirement

5 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales The Problem Multi-regulation 3 out of 4 organizations must comply with 2 or more regulations 43% organizations must comply with 3 or more regulations Too many standards – which one should you use? Regulations Organization Structure Jurisdiction Industry Auditor Standards are different Some overlapping Changes from time to time (versions) Manual Process – Time Consuming Co-ordination and co-operation from Business Units Subjective

6 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Compliance Process Traditional Checklists Legislation and regulation are ambiguous to IT The need for a common Infosec specification format that can be distributed to other Business Units What about multiple information security standards? The need for a uniform way of checking compliance to policies and best practices The need for a uniform way to report audit and compliance results

7 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales eXtensible Information Security Specification Format (XISSF) What is it? Common Infosec specification format and platform - not vendor or firm specific Based on XML Textual descriptions of the security clauses or safeguards within Infosec standards are restructured and codified XISSF is capable of: Encapsulating and segregating the clauses extracted from different textual standards Heterogeneous format of clauses from multiple standards can be encapsulated in a single XISSF document. Transportable between business units - across a global business. Express information security specification explicitly – decreases ambiguity. Uniform way of checking compliance to policies and best practices A machine interpretable format for computer-aided assessment on security compliance.

8 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales XISSF Foundation for providing automated support for compliance audits. Addresses the problem of heterogeneous information security standards Agent can be designed to perform routine and subjective tasks based on XISSF – mobile agents and multi-agents systems. Tags Enclosed weighting metric for each checkpoint in the clauses for audit and assessment purposes. Atomic actionable questions or statements identified as checkpoints. XISSF GROUP CLAUSE GROUP CHECKPOINT OBJECTIVE CHECKPOINT CLAUSE CHECKPOINT OBJECTIVE CHECKPOINT description, weight, required threat type, constraints, pre-requisites, … due, reminder, reference … id, required, role … title, pre-req… description, weight, required threat type, constraints, pre-requisites, …

9 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Regulations/Standards/Clauses/Checkpoints

10 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Sample Clause - ISO17799 5.1.1 Information security policy document Control An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. Implementation guidance The information security policy document should state management commitment and set out the organizations approach to managing information security. The policy document should contain statements concerning: a) a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing (see introduction); b) a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives; c) a framework for setting control objectives and controls, including the structure of risk assessment and risk management; …. draft XISSF Sample XISSF - eXtensible Information Security Specification Format. This document defines a list of security specification policies that should be enforced on the organization. This can vary from technical policies to abstract business level processes. ISO17799 International Standard Organization ISO17799:2005 2005 http://www.iso.org Information security policy document An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. The information security policy document should state management commitment and set out the organizations approach to managing information security. The policy document should contain statements concerning a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing. The policy document should contain statements concerning a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives; …

11 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Scenario HIPAA

12 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Limitation & Future Work Preliminary in nature but essential for any future work Checkpoints currently in English – Human Intervention Improve automation Ontology based Schema for each governance standard Application of Concept Learning/Extraction Methodologies for IT Standards Assessment Strategy Based on XISSF Agent Based Compliance Management based on XISSF

13 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales The Big Picture Interface Agent Interface Agent Involvement

14 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Conclusion An approach and mechanism to express explicit information security requirements and compliance audits in a codified format. Increase portability especially for global business Provided a foundation to enable computer assisted compliance auditing. Normalization of XISSF decreases redundant compliance tasks and identify conflicts Reduce interaction time in compliance time, improve efficiency Better modularization to segregate compliance tasks Role-based Ability to consolidate and extend multiple & heterogeneous infosec specifications The process of compliance is an important component of ensuring IT security controls are employed and used correctly. It is a continuous effort!

Download ppt "April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Enforcing Business Rules and Information Security Policies through."

Similar presentations

HL7 V2 Implementation Guide Authoring Tool Proposal

HL7 V2 Implementation Guide Authoring Tool Proposal
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.

Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.
EMS Checklist (ISO model)

EMS Checklist (ISO model)
Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Singapore February 2001 Promoting Fair and Transparent Regulation in Securities Markets A Presentation to the APEC-OECD Co-operative Initiative on Regulatory.

Singapore February 2001 Promoting Fair and Transparent Regulation in Securities Markets A Presentation to the APEC-OECD Co-operative Initiative on Regulatory.
International Council on Archives Project Principles and Functional Requirements for Records in Electronic Office Environments Adrian Cunningham National.

International Council on Archives Project Principles and Functional Requirements for Records in Electronic Office Environments Adrian Cunningham National.
PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
Cloud computing security related works in ITU-T SG17

Cloud computing security related works in ITU-T SG17
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Bill McClanahan – Principal Business Consultant LPS Integration.

Bill McClanahan – Principal Business Consultant LPS Integration.
ORGANIZATION. 2 Problem scenario  Develop an organizational chart for your laboratory showing lines of authority from the head of the organization to.

ORGANIZATION. 2 Problem scenario  Develop an organizational chart for your laboratory showing lines of authority from the head of the organization to.
Phone: (919) 573-6132 Fax: (919) 677-8470 21CFR Part 11 FDA Public Meeting Comments Presented by: M. Rita.

Phone: (919) Fax: (919) CFR Part 11 FDA Public Meeting Comments Presented by: M. Rita.
Requirements Engineering n Elicit requirements from customer  Information and control needs, product function and behavior, overall product performance,

Requirements Engineering n Elicit requirements from customer  Information and control needs, product function and behavior, overall product performance,
PwC David Devlin 23 April 2002 Auditor Independence in a Global Market Place.

PwC David Devlin 23 April 2002 Auditor Independence in a Global Market Place.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
ISO/IEC 27001 Winnie Chan BADM 559 Professor Shaw 12/15/2008.

ISO/IEC Winnie Chan BADM 559 Professor Shaw 12/15/2008.

Similar presentations

Ads by Google