ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT

Similar documents
"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Security Policies and Procedures Principles and Practices

SECURITY & PRIVACY DOCUMENTATION

CISM Certified Information Security Manager

Putting It All Together:

Introduction to ISO/IEC 27001:2005

Certified Information Security Manager (CISM) Course Overview

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Certified Information Systems Auditor (CISA)

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

Checklist: Credit Union Information Security and Privacy Policies

Granted: The Cloud comes with security and continuity...

Managing SaaS risks for cloud customers

ADIENT VENDOR SECURITY STANDARD

TEL2813/IS2820 Security Management

Security Standards for Electric Market Participants

How will cyber risk management affect tomorrow's business?

CCISO Blueprint v1. EC-Council

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Recommendations for Implementing an Information Security Framework for Life Science Organizations

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

01.0 Policy Responsibilities and Oversight

THE POWER OF TECH-SAVVY BOARDS:

Security and Architecture SUZANNE GRAHAM

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Employee Security Awareness Training Program

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

IT Attestation in the Cloud Era

Information Technology General Control Review

Canada Life Cyber Security Statement 2018

The Honest Advantage

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

Information Security Policy

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

A Survival Guide to Continuity of Operations. David B. Little Senior Principal Product Specialist

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Information Security Management System

Cyber Risks in the Boardroom Conference

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Security Management Models And Practices Feb 5, 2008

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Advent IM Ltd ISO/IEC 27001:2013 vs

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

AN IPSWITCH WHITEPAPER. 7 Steps to Compliance with GDPR. How the General Data Protection Regulation Applies to External File Transfers

WORKSHARE SECURITY OVERVIEW

Security and Privacy Governance Program Guidelines

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Information Security Controls Policy

QuickBooks Online Security White Paper July 2017

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

Baseline Information Security and Privacy Requirements for Suppliers

Risk Management in Electronic Banking: Concepts and Best Practices

EXHIBIT A. - HIPAA Security Assessment Template -

Apex Information Security Policy

Cyber Criminal Methods & Prevention Techniques. By

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Institute of Technology, Sligo. Information Security Policy. Version 0.2

What is ISO ISMS? Business Beam

EU General Data Protection Regulation (GDPR) Achieving compliance

TSC Business Continuity & Disaster Recovery Session

COURSE BROCHURE CISA TRAINING

Minimum Requirements For The Operation of Management System Certification Bodies

Administration and Data Retention. Best Practices for Systems Management

FDIC InTREx What Documentation Are You Expected to Have?

The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation. ISACA All Rights Reserved.

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

CHAPTER 13 ELECTRONIC COMMERCE

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

DEFINITIONS AND REFERENCES

Oracle Data Cloud ( ODC ) Inbound Security Policies

CISM QAE ITEM DEVELOPMENT GUIDE

SDR Guide to Complete the SDR

ISO/IEC Information technology Security techniques Code of practice for information security management

INTELLIGENCE DRIVEN GRC FOR SECURITY

Protecting Information Assets - Week 3 - Data Classification Processes and Models. MIS 5206 Protecting Information Assets

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

Oracle Buys Automated Applications Controls Leader LogicalApps

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Information Security Policy

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

716 West Ave Austin, TX USA

Cyber Diligence. EY Deals Forum Ian McCaw EY Transaction Advisory Services

Secure Application Development. OWASP September 28, The OWASP Foundation

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Security analysis and assessment of threats in European signalling systems?

Transcription:

ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT 1 BY HUSSEIN K. ISINGOMA CISA,FCCA,CIA, CPA, MSC,BBS AG. ASSISTANT COMMISSIONER/INTERNAL AUDIT MINISTRY OF FINANCE, PLANNING AND ECONOMIC DEVELOPMENT ISACA- KAMPALA 28th April 2010

Presentation Layout Introduction What is IT Security Management? Security Management Cycle Key IT Security Concerns Adding Business Value Challenges Conclusion 2 ISACA- KAMPALA 28 April 2010

3 Introduction Businesses are increasingly dependent on IT to facilitate their operations Information is critical not only for business survival but for businesses to thrive Businesses are now more concerned about the significant damage that the various IT threats and vulnerabilities can cause Business expenditure on IT has been increasing by the day and there is no let up yet! 2009 2009 2010 2010 Computing 326.4-13.9 331.7 1.6 Hardware Software 220.7-2.1 231.5 4.9 IT Services 780.9-3.5 824.2 5.6 Telecom 1,887.7-3.6 1,976.6 4.7 All IT 3,215.7-4.6 3,364.0 4.6 Worldwide IT Spending Forecast (Billions of US Dollars) Source: Gartner (January 2010) Challenge of effectively managing IT security has grown in both difficulty and importance

Security Management Security is a condition that results from the establishment and maintenance of protective measures (preventive or detective) that ensure a state of inviolability from hostile acts or influences IT Security Management therefore focuses on ; i. Identity and Access Mgt(3 W s) ii. iii. 4 Information Mgt Threat Management ITSEC management is about identification of Potential systems problems/vulnerabilities and related controls

IT Security Management Cycle 5 Define Environment & Assets Monitoring & Audits Security Risk Analysis Security Administration Policies, Standards, & Guidelines Security Design Implementation

Security Management and Assurance Framework 6 Security Management ISO 17799 Assurance Control Objectives for Information and Related Technology (CoBIT) Business Infosec mgt Business Model for Information Security (BMIS) Policies, Standards & Guidelines

7 Control Objectives for Information Technology( CoBIT) Deliver and Support (DS) Ensure Systems Security( 1-21) 5.1 Manage Security Measures 5.2 Identification, Authentication and Access 5.3 Security of Online Access to Data 5.4 User Account Management 5.5 Management Review of User Accounts 5.6 User Control of User Accounts 5.7 Security Surveillance 5.8 Data Classification 2009

8 Security Management Standards-ISO 17799(2000) Detailed security standard that can be used by an organization to ensure effective security Management ISO 17799 Security Domains Security policy Security organisation Asset classification Personnel security Physical and Environmental Security Communications and operations management Formally a British standard BS7799 (1995) Access control Systems development and maintenance Business continuity management Compliance

Objectives of IT Security Management 9 (C)Confidentiality Safeguards unauthorized use/disclosure of information (I) Integrity safeguards the accuracy and completeness of information and processing methods (A) Availability reliable and timely access to information and associated assets when required.

IT Security Management Concerns 10 D a t a S e c u r i t y P h y s i c a l S e c u r i t y S t a n d a r d s D i s a s t e r R e c o v e r y A c c e s s S e c u r i t y G e n e r a l C o n t r o l s O p e r a t i n g S y s t e m S o f t w a r e P r o d u c t i o n C o n t r o l O p e r a t i o n s T e l e c o m m u n i c a t i o n s D a t a b a s e A d m i n i s t r a t i o n S y s t e m D e v e l o p m e n t M e t h o d o l o g y

Operations and Production Security Concerns 11 Operations Production controls Training-functional and refresher courses Maintenance of the master schedule Standard operating procedures / operational manual) Preventive maintenance schedules Controls over updates Controls over batch input and output processing Separation of duties(sod) Logs maintenance Offsite procedures Handling of information

Telecoms/network security concerns Service level agreements (SLA s) between telecom/network providers. Uptime thresholds, incident response times, 3 rd party business continuity arrangements Network traffic monitoring; traffic patterns should be reviewed regularly; unusual patterns monitored Intrusion prevention and detection(ipds) Are the companies providing the WAN services providing pro-active monitoring and response 12

Encryption Security Concerns Policies on data to be encrypted 13 Who is responsible for encryption keys. Do custodians understand and accept their key-custodian responsibilities? Frequency of change of passwords Storage of copies and destruction of obsolete keys Key Creation Procedures Key Rotation Procedures ISACA- KAMPALA 28th April 2010

Access security Concerns 14 Access should be based on least privilege i.e. granting users only those accesses required to perform their duties Review of Access Control Lists(ACL s) i.e. list of users and type of permitted access User registration/supplier creation( Weigh the pros and cons of centralized /decentralized controls) Password use/ management Terminal log on/off procedures Deprovisioning of access rights and accounts for consultants, IT service providers etc ISACA- KAMPALA 28th April 2010

Transaction Logs Maintenance Who/ what has access to the logs? How long are the logs maintained(record retention time)? How are the logs backed up; log server separate from transaction server? Responsibility for periodic review of systems generated logs 15 Objective? Ensure the integrity of audit trail data against unauthorized modification

Policies and Procedures Concerns Do policies exist e.g on Encryption, data/log retentions, passwords, 3 rd party access etc 16 Do they meet mgt s compliance needs Periodic reviews Relevance Performance Conformity Regulatory requirements Best practices; COSO, COBIT

Business Continuity/ Disaster recovery? 17 Security Assurance issues Disaster? Define a disaster Business continuity/disaster Recovery Plan Recovery time objectives in case of disaster Resource requirements System/network recovery plan Evidence of testing the plan Resource requirements People Equipment etc Outsourced service provider BCP/DRP arrangements

Compliance -Legal and regulatory framework Do legal and regulatory requirements for enforceability and remedies for data electronically transmitted and received exist? 18 Is compliance reviewed? Does IT processes conflict with other existing legal framework? Acknowledgment of transactions/receipts/payments in e-transactions; what do the laws regulations require?

Mutual compliance Service Level Management 19 Performance metrics are measured and reported on periodically Charges for lapses and rewards for over performances defined Rights to inspection/audit of service provider defined e.g SAS 70 in the USA.

20 ITSEC Management; Adding Business Value The benefits of an effective, well designed Security Management system extend to foundations of business itself! Benefits are derived through enhancement of Confidentiality, Integrity and Availability of Information systems Pro-active threat management(part of Security Management) delivers business value! Business Value of Pro-Active threat Management! Cost Management Reduction of number and frequency of successful attacks increases productivity as less time is spent on recovery efforts Business Continuity Impact on the availability of critical systems could result onto loss production time, million dollar transactions, loss of key clients, suppliers and business relationships Risk mitigation Reduction of attacks and potential attacks improves business risk profile Asset protection Web applications, operating systems and critical business processes Improved management control Better quality and increased scope of available information across business Operational efficiencies Improvement in the input output ratios

Contd ; Adding Business Value CIA? 21 Confidentiality Increased Compliance e.g data protection, copyrights Insulation of trade secrets Clients and User information protection Improved customer confidence; business growth/market Devt. Integrity Protection of business data against unauthorized access and alteration Access of business information/data on a need to know, have and do basis!-access privileges Security of business Info/data across networks- Encryptions Availability Increased systems reliability Continuous business operations; less downtimes, outages Increased productivity ; ensuring systems uptime Increased user/client satisfaction and client relationships ISACA- KAMPALA 28th April 2010

.Business Value; The BSC? 22 Business Innovations Availability of information on markets, stocks,investments etc Improvement of Business image Product differentiation Product development mobile money? Growth and Learning Customer focus Financial Processes Profitability Sales turnover- Airtime Reporting and disclosure Supply chain mgt- Amazon. e-payments credit cards Production

the Challenges 23 The weakest point in ITSEC; Human factor Availability of skilled, knowledgeable and experienced IT security resources The broader and varied view of security across business; Finance, Sales and Board Security monitoring 24x7. Lights out operations in production Job scheduling Increase in Social Engineering in all its forms Lack of a pro-active management of Security reaction mode! Dynamic business risk profile Management of third Party IT service providers Lack of business Security awareness programmes Business IT Governance maturity levels Balancing security with systems performance

.Conclusion and think about it! Key ITSEC Investment Questions! How much is the lack of security costing business? What impact is the lack of security having on productivity? What impact would a material security breach have? What are the cost effective Secuirty solutions? Is the exposure being reduced? 24 Source: G41 :Return on Security and Investment (ROSI) Thank you! ISACA- KAMPALA 28th April 2010

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback