Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

Published byMoris Adams Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues."— Presentation transcript:

1 © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues Lesson 4 IT Security Policy Framework Approaches

2 Page 2 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective  Describe the different methods, roles, responsibilities, and accountabilities of personnel, along with the governance and compliance of a security policy framework.

3 Page 3 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Key Concepts  Different methods and best practices for approaching a security policy framework  Importance of defining roles, responsibilities, and accountability for personnel  Separation of duties (SoD)  Importance of governance and compliance

4 Page 4 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: CONCEPTS

5 Page 5 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Information Systems Security Policy Frameworks Choosing the right framework is not easy Use a simplified security policy framework domain model Flexible frameworks fit governance and compliance planning requirements

6 Page 6 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Select an Industry Framework

7 Page 7 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. IT Security Policy Frameworks

8 Page 8 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. IT Security Policy Frameworks

9 Page 9 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. IT Security Policy Frameworks Organizations often combine frameworks to draw upon individual strengths.

10 Page 10 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. IT Security Policy Framework Domain Model

11 Page 11 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Information Technology (IT) Security Controls  IT security controls are a function of IT infrastructure that an organization has in its control and the regulatory and business objectives that need to be controlled You can have too many IT security controls, impeding the organization from operating at optimal capacity, thus reducing its revenue potential

12 Page 12 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Information Technology (IT) Security Controls (Continued)  Generic IT security controls as a function of a business model Deploy a layered security approach Use SoD approach -This applies to transactions within the domain of responsibility Conduct security awareness training annually

13 Page 13 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Information Technology (IT) Security Controls (Continued)  Apply the three lines of defense model First line: The business unit Second line: The risk management team Third line: Use independent auditors

14 Page 14 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. GRC and ERM Governance, Risk management, and Compliance (GRC) A discipline formally bringing together risk and compliance GRC best practices ISO 27000 series COBIT COSO Enterprise Risk Management (ERM) Follows common risk methodologies

15 Page 15 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Similarities Between GRC and ERM Defines risk in terms of business threats Applies flexible frameworks Eliminates redundant controls, policies, and efforts

16 Page 16 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Similarities Between GRC and ERM (Continued) Proactively enforces policy Seeks line of sight into the entire population of risks

17 Page 17 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Differences Between GRC and ERM Focuses on technology, a series of tools and centralized policies GRC Focuses on value delivery Takes a broad look at risk based on adoption driven by leadership ERM

18 Page 18 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Risk IT Framework Process Model

19 Page 19 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: PROCESS

20 Page 20 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Best Practices: Security Policy Framework  Using a risk management approach to framework implementation reduces the highest risk to the organization ISACA COBIT framework for SOX 404 requirements for publically traded organizations  Aligning the organization’s security policy with business objectives and regulatory requirements

21 Page 21 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Best Practices: Security Policy Framework (Continued)  The use of a best practice methodology will best be answered based on organizational requirements and governmental regulations

22 Page 22 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: ROLES

23 Page 23 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Roles Head of information management Data stewardsData custodiansData administratorsData security administrators

24 Page 24 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Roles and Responsibilities  Executive Management Responsible for governance and compliance requirements, funding, and policy support  Chief Information Officer (CIO)/Chief Security Officer (CSO) Responsible for policy creation, reporting, funding, and support  Chief Financial Officer (CFO)/Chief Operating Officer (COO) Responsible for data stewardship, owners of the data

25 Page 25 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Roles and Responsibilities (Continued)  System Administrators/Application Administrators Responsible for custodianship of the data, maintaining the quality of the data, and executing the policies and procedures pertaining to the data, like backup, versioning, updating, downloading, and database administration  Security Administrator Responsible for granting access and assess threats to the data, IA program

26 Page 26 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Committees

27 Page 27 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: CONTEXTS

28 Page 28 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Importance of Governance and Compliance  Implementing a governance framework can allow organization to identify and mitigate risks in orderly fashion Can be a cost reduction move for organizations as they can easily respond to audit requests  A well-defined governance and compliance framework provides a structured approach  Can provide a common language

29 Page 29 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Importance of Governance and Compliance (Continued)  Is also a best-practice model for organizations of all shapes and sizes  Controls and risks become measurable with a framework Organizations with a governance and compliance framework can operate more efficiently  If you can measure the organization against a fixed set of standards and controls, you have won

30 Page 30 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policy Framework: Six Business Risks StrategicComplianceFinancial OperationalReputationalOther

31 Page 31 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Business Risks

32 Page 32 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: RATIONALE

33 Page 33 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Separation of Duties (SoD)  Layered security approach  SoD duties fall within each IT domain  Applying SoD can and will reduce both fraud and human errors

34 Page 34 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Layered Security Approach A Layered Security Approach mean having two or more layers of independent controls to reduce risk. Layered security leverages the redundancy of the layers so if one layer fails to catch the risk or threat, the next layer should.

35 Page 35 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Summary Different methods and best practices for approaching a security policy framework Importance of defining roles, responsibilities, and accountability for personnel Separation of duties (SoD) Importance of governance and compliance

Download ppt "© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues."

Similar presentations

Ministry of Public Sector Development Public Sector Development Program 2005-2009 Better Government Delivering Better Result.

Ministry of Public Sector Development Public Sector Development Program Better Government Delivering Better Result.
CFO – MANUFACTURING SECTOR

CFO – MANUFACTURING SECTOR
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.

Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.

PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Managing Risk in Information Systems Strategies for Mitigating Risk

Managing Risk in Information Systems Strategies for Mitigating Risk
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.

Similar presentations

Ads by Google