planning chapter 2. orientation the first chapter focused on threats the rest of the book focuses on...
TRANSCRIPT
PlanningChapter 2
Orientation
• The first chapter focused on threats
• The rest of the book focuses on defense
• In this chapter, we will see that defensive thinking is build around the plan-protect-respond cycle
• In this chapter, we will focus on planning
• Chapters 3 to 8 focus on protection (day-by-day defense)
• Chapter 9 focuses on response
Copyright Pearson Prentice-Hall 2010
2
But FirstMr. Swartz
Copyright Pearson Prentice-Hall 2010
3
Illegal?
• Illegal - 30
• Legal – 1ish
• Unethical - 16
Copyright Pearson Prentice-Hall 2010
4
JSTOR
• Early Journal Content• Journal content in JSTOR published prior to 1923 in the United
States and prior to 1870 elsewhere freely available to anyone, anywhere in the world
• Register & Read• give researchers read-only access to some journal articles, no
payment required• Users won’t be able to download the articles• Access only three at a time• minimum viewing time frame of 14 days per article
• The Register & Read beta is an exciting next step that we are taking, working closely with our publisher partners who own this content.”
Copyright Pearson Prentice-Hall 2009
5
Computer Fraud and Abuse Act
• Pertains to Financial and Government Computers
• Pertains to affecting interstate commerce or communication• Knowingly accessing a computer without authorization in order to obtain national security data
• Intentionally accessing a computer without authorization to obtain:• Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a
consumer.
• Information from any department or agency of the United States
• Information from any protected computer if the conduct involves an interstate or foreign communication
• Intentionally accessing without authorization a government computer and affecting the use of the government's operation of the computer.
• Knowingly accessing a protected computer with the intent to defraud and there by obtaining anything of value.
• Knowingly causing the transmission of a program, information, code, or command that causes damage or intentionally accessing a computer without authorization, and as a result of such conduct, causes damage that results in:• Loss to one or more persons during any one-year period aggregating at least $5,000 in value.
• The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals.
• Physical injury to any person.
• A threat to public health or safety
• .Damage affecting a government computer system
• Knowingly and with the intent to defraud, trafficking in a password or similar information through which a computer may be accessed without authorization.
Copyright Pearson Prentice-Hall 2009
6
2-9: Legal Driving Forces
• Privacy Protection Laws• The European Union (E.U.) Data Protection
Directive of 2002• Many other nations have strong commercial data
privacy laws• The U.S. Gramm–Leach–Bliley Act (GLBA)• The U.S. Health Information Portability and
Accountability Act (HIPAA) for private data in health care organizations
Copyright Pearson Prentice-Hall 2010
7
2-9: Legal Driving Forces
• Data Breach Notification Laws• California’s SB 1386• Requires notification of any California citizen
whose private information is exposed• Companies cannot hide data breaches anymore
• Federal Trade Commission (FTC)• Can punish companies that fail to protect private
information• Fines and required external auditing for several
years
Copyright Pearson Prentice-Hall 2010
8
California Senate Bill 24
Since 2002, California law has required data holders to notify individuals if their data is lost or stolen.
The new law, however, requires each notice to contain in "plain language”◦ name and contact information of the data holder◦ types of personal information compromised by the breach◦ Brief description of the incident◦ contact information for the major credit reporting agencies◦ whether the notification was delayed as a result of an
investigation by law enforcement.
Copyright Pearson Prentice-Hall 2010
9
2-9: Legal Driving Forces
• Industry Accreditation• For hospitals, etc.• Often have to security requirements
• PCS-DSS• Payment Card Industry–Data Security Standards• Applies to all firms that accept credit cards• Has 12 general requirements, each with specific
subrequirements
Copyright Pearson Prentice-Hall 2010
10
2-9: Legal Driving Forces
• FISMA• Federal Information Security Management Act of 2002• Processes for all information systems used or operated
by a U.S. government federal agencies• Also by any contractor or other organization on behalf
of a U.S. government agency• Certification, followed by accreditation• Continuous monitoring• Criticized for focusing on documentation instead of
protectionCopyright Pearson Prentice-Hall 2010
11
2-9: Legal Driving Forces
• Compliance Laws and Regulations• Compliance laws and regulations create
requirements for corporate security• Documentation requirements are strong
• Identity management requirements tend to be strong
• Compliance can be expensive• There are many compliance laws and regulations,
and the number is increasing rapidly
Copyright Pearson Prentice-Hall 2010
12
2-9: Legal Driving Forces• Sarbanes–Oxley Act of 2002
• Massive corporate financial frauds in 2002• Act requires firm to report material deficiencies in
financial reporting processes• Material deficiency a significant deficiency, or
combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected
Copyright Pearson Prentice-Hall 2010
13
2-9: Legal Driving Forces• Sarbanes–Oxley Act of 2002
• Report material control deficiencies in the financial reporting process
Copyright Pearson Prentice-Hall 2010
14
Back to Planning
Copyright Pearson Prentice-Hall 2010
15
2-1: Management is the Hard Part
• Technology Is Concrete• Can visualize devices and transmission lines
• Can understand device and software operation
• But we can’t just focus on the concrete vs. the abstract
• Management Is Abstract
• Management Is More Important• Security is a process, not a product (Bruce Schneier)
Copyright Pearson Prentice-Hall 2010
16
What to Protect?
• Databases and Servers – easy to identify
• Organizational Processes – less so• Financial Reporting (should be easier for
Accountants)• New Product Development (ie. I.P)
Copyright Pearson Prentice-Hall 2010
17
2-4: Security Management Is a Disciplined Process
• Complex• Cannot be managed informally
• Need Formal Processes• Planned series of actions in security management• Annual planning• Processes for planning and developing individual countermeasures
• Must be Continuous
• Must meet legal and other compliance regulations
• Thus…
Copyright Pearson Prentice-Hall 2010
18
2-5: The Plan-Protect-Respond Cycle for
Security Management
Copyright Pearson Prentice-Hall 2010
19
Dominates security management thinking
2-7: Vision
• Security as an Enabler• Security is often thought of as a preventer• But security is also an enabler• If a company has good security, it can do things
otherwise impossible• Engage in interorganizational systems with other
firms (Dell, Wal Mart)• Can use SNMP SET commands to manage their
systems remotely• Must get in early on projects to reduce
inconvenience
Copyright Pearson Prentice-Hall 2010
20
2-8: Strategic IT Security Planning
• Identify Current IT Security Gaps
• Identify Driving Forces• The threat environment• Compliance laws and regulations• Corporate structure changes, such as mergers
• Identify Corporate Resources Needing Protection• Enumerate all resources• Rate each by sensitivity
Copyright Pearson Prentice-Hall 2010
21
2-8: Strategic IT Security Planning
• Develop Remediation Plans• Develop a remediation plan for all security gaps• Develop a remediation plan for every resource
unless it is well protected
• Develop an Investment Portfolio• You cannot close all gaps immediately• Choose projects that will provide the largest
returns• Implement these
Copyright Pearson Prentice-Hall 2010
22
2-13: Risk Analysis
• Realities• Can never eliminate risk• “Information assurance” is impossible
• Risk Analysis• Goal is reasonable risk• Risk analysis weighs the probable cost of
compromises against the costs of countermeasures• Also, security has negative side effects that must
be weighed
Copyright Pearson Prentice-Hall 2010
23
2-13: Risk Analysis
Single Loss Expectancy (SLE)
• Asset Value (AV)
• X Exposure Factor (EF)• Percentage lost in asset
value if a compromise occurs
• = Single Loss Expectancy (SLE)• Expected loss in case of a
compromise
Annualized Loss Expectancy (ALE)
• SLE• X Annualized Rate of
Occurrence (ARO)• Annual probability of a
compromise
• = Annualized Loss Expectancy (ALE)• Expected loss per year
from this type of compromise
Copyright Pearson Prentice-Hall 2010
24
2-14: Classic Risk Analysis Calculation
Copyright Pearson Prentice-Hall 2010
25
Base Case
Countermeasure
A
Asset Value (AV) $100,000 $100,000
Exposure Factor (EF) 80% 20%
Single Loss Expectancy (SLE): = AV*EF $80,000 $20,000
Annualized Rate of Occurrence (ARO) 50% 50%
Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $10,000
ALE Reduction for Countermeasure NA $30,000
Annualized Countermeasure Cost NA $17,000
Annualized Net Countermeasure Value NA $13,000
Countermeasure A should reduce the exposure factor by 75%Countermeasure A should reduce the exposure factor by 75%
2-14: Classic Risk Analysis Calculation
Copyright Pearson Prentice-Hall 2010
26
Base Case
Countermeasure
B
Asset Value (AV) $100,000 $100,000
Exposure Factor (EF) 80% 80%
Single Loss Expectancy (SLE): = AV*EF $80,000 $80,000
Annualized Rate of Occurrence (ARO) 50% 25%
Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $20,000
ALE Reduction for Countermeasure NA $20,000
Annualized Countermeasure Cost NA $4,000
Annualized Net Countermeasure Value NA $16,000
Counter measure B should cut the frequency of compromises in half
Counter measure B should cut the frequency of compromises in half
2-14: Classic Risk Analysis Calculation
Copyright Pearson Prentice-Hall 2010
27
Base Case
Countermeasure
A B
Asset Value (AV) $100,000 $100,000 $100,000
Exposure Factor (EF) 80% 20% 80%
Single Loss Expectancy (SLE): = AV*EF $80,000 $20,000 $80,000
Annualized Rate of Occurrence (ARO) 50% 50% 25%
Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $10,000 $20,000
ALE Reduction for Countermeasure NA $30,000 $20,000
Annualized Countermeasure Cost NA $17,000 $4,000
Annualized Net Countermeasure Value NA $13,000 $16,000
Although Countermeasure A reduces the ALE more,Countermeasure B is much less expensive.
The annualized net countermeasure value for B is larger.
The company should select countermeasure B.
Although Countermeasure A reduces the ALE more,Countermeasure B is much less expensive.
The annualized net countermeasure value for B is larger.
The company should select countermeasure B.
2-15: Problems with Classic Risk Analysis Calculations
• Uneven Multiyear Cash Flows• For both attack costs and defense costs• Must compute the return on investment (ROI) using
discounted cash flows• Net present value (NPV) or internal rate of return
(ROI)
Copyright Pearson Prentice-Hall 2010
28
2-15: Problems with Classic Risk Analysis Calculations
• Total Cost of Incident (TCI)• Exposure factor in classic risk analysis assumes that a
percentage of the asset is lost• In most cases, damage does not come from asset loss• For instance, if personally identifiable information is
stolen, the cost is enormous but the asset remains• Must compute the total cost of incident (TCI)• Include the cost of repairs, lawsuits, and many other
factors
Copyright Pearson Prentice-Hall 2010
29
2-15: Problems with Classic Risk Analysis Calculations
• Many-to-Many Relationships between Countermeasures and Resources• Classic risk analysis assumes that one countermeasure
protects one resource• Single countermeasures, such as a firewall, often
protect many resources• Single resources, such as data on a server, are often
protected by multiple countermeasures• Extending classic risk analysis is difficult
Copyright Pearson Prentice-Hall 2010
30
2-15: Problems with Classic Risk Analysis Calculations
• Impossibility of Knowing the Annualized Rate of Occurrence• There simply is no way to estimate this• This is the worst problem with classic risk analysis• As a consequence, firms often merely rate their
resources by risk level
Copyright Pearson Prentice-Hall 2010
31
2-15: Problems with Classic Risk Analysis Calculations
• Problems with “Hard-Headed Thinking”• Security benefits are difficult to quantify• If only support “hard numbers” may underinvest in
security
Copyright Pearson Prentice-Hall 2010
32
2-15: Problems with Classic Risk Analysis Calculations
• Perspective• Impossible to do perfectly• Must be done as well as possible• Identifies key considerations• Works if countermeasure value is very large or very
negative• But never take classic risk analysis seriously
Copyright Pearson Prentice-Hall 2010
33
Risk Management
OCTAVE Allegro
OCTAVE
• Operationally
• Critical
• Threat,
• Asset,
• Vulnerability
• Evaluation
Risk
• The combination of a threat (a condition) and the resulting impact of the threat if acted upon (a consequence).
OCTAVE
• Methodology for identifying and evaluating security risks
• develop qualitative risk evaluation criteria that describe the organization’s operational risk tolerances
• identify assets that are important to the mission of the organization
• identify vulnerabilities and threats to those assets
• determine and evaluate the potential consequences to the organization if threats are realized
OCTAVE Methodologies
• OCTAVE
• OCTAVE-S
• OCTAVE-Allegro
OCTAVE• For large Organizations >300 employees
• have a multi-layered hierarchy
• maintain their own computing infrastructure
• have the ability to run vulnerability evaluation tools
• have the ability to interpret the results of vulnerability evaluations
• performed in a series of workshops conducted and facilitated by an interdisciplinary analysis team drawn from business units throughout the organization (e.g. senior management, operational area managers, and staff) and members of the IT department [Alberts 2002].
• Phase I• Organizational View
• Identify important information assets
• Phase II• Technological View
• Supplement Threat Analysis
• Phase III• Strategy and Plan
• Risk Identification• Risk Mitigation
OCTAVE-S
• For Small Manufacturing Companies
• performed by an analysis team that has extensive knowledge of the organization
• designed to include a limited examination of infrastructure risks• No vulnerability testing (or limited)
OCTAVE Allegro
• Broad Assessment of Operational Risk Environment
• Focus on Information Assets• How they are used• Where they are used• Where they are stored, transported, & processed• How are they exposed to
• Threats, Vulnerabilities & Disruptions
8 Steps / 4 Phases
Step1:Establish Risk Measurement Criteria
Step2:Develop Information Asset Profile
Step 3:Identify Information Asst Containers
Step 4:Identify Areas of Concern
Step 5:Identify Threat Scenarios
Step 6:Identify Risks
Step 7:AnalyzeRisks
Step 8:SelectMitigationApproach
Establish Drivers Profile Assets Identify Threats Identify/Mitigate Risks
The outputs of each step are recorded in a worksheet and become inputs for the next step
Step 1 Establish Risk Measurement Criteria
• Risk Measurement Criteria Determined:• Qualitative Measure
• Used to evaluate effect of Risk
• Forms information asset risk assessment
• Rank Significance of Impact Area• E.g. Customers vs. Compliance
The most important category should receive the highest score and the least important the lowest.
Step 2: Develop Information Asset Profile
• Information Asset• information or data that is of value to the organization• Can exist in physical form (on paper, CDs, or other
media) or• Electronically (stored in databases, in files, on personal
computers).
• Describe Assets:• unique features, qualities, characteristics, and value• unambiguous definition of the asset’s boundaries• security requirements for the asset are adequately
defined• Confidentiality, Integrity, Availability
Step 2: Select Critical Information Assets
• Focus on “critical few”
• Which would have the largest impact on your organization, based on the Risk Measurement if:• The asset or assets were disclosed to unauthorized
people. • The asset or assets were modified without
authorization. • The asset or assets were lost or destroyed.• Access to the asset or assets was interrupted.
Step 3: Identify Information Asset Containers
• Places where Information Assets are:• Stored• Processed• Transported
• Three Types of Containers• Technical:
• hardware, software, application systems, servers, and networks or
• Physical:• file folders (where information is stored in written form)
• People (who may carry around important information such as intellectual property).
• Containers are both Internal to the Organization and External
• an organization must identify all of the locations where its information assets are stored, transported, or processed, whether or not they are within the organization’s direct control.
• Containers Risks are inherited by Information Assets within them
Step 3: Security of Information Asset Containers
• Controls are at the Container level
• Security depends on how well the control reflects security requirements of container
• Any vulnerabilities or threats to a Container is inherited by the Information Asset inside
Step 4: Identify Areas of Concern
• Identify Conditions that can threaten information assets
• Not intended to be an exhaustive list of all Threats
• Rather a list of threats that are immediately thought of
Step 5: Identify Threat Scenarios
• Areas of Concern are expanded into
• Threat Scenarios• Actor Involved• Means• Motive• Outcome• Security Requirements
• From Threat Scenario Questionnaires• Probability of Occurrence
• High, Medium, Low
For Any Yes from the questionnaireCreate anInformationAssetRiskWorksheet
Step 6: Identify Risks
• Determine Consequences if Threat Occurs
• More than one consequence is possible• Reputation Consequence• Financial Consequence
• Threat (condition) + Impact (consequence) = Risk
• [Steps 4 and 5] + [Step 6] = Risk
Step 7: Analyze Risk
• Compute Quantitative Measure of Risk• Using Consequence and Relative Importance of
Impact Area• High = 3, Medium = 2 or Low = 1
• Probability (if used)
The scores generated in this activity
are only meant to be used as a
prioritization tool. Differences between
risk scores are not considered to be
relevant. In other words, a score of 48
means that the risk is relatively more
important to the organization than a
score of 25, but there is no importance
to the difference of 13 points.
Step 8: Select Mitigation Approach
• First, Prioritize Risks based on Risk Score (7)
• Mitigation strategies are developed that consider the value of the asset
• The Assets security requirements
• The containers in which it lives
• The organization’s unique operating environment.
Types of Mitigation
• Accept• Take no action, risk has low or zero impact
• Mitigate• Develop controls to counter risk
• Defer• Gather more information and re-analyze in the
future
Risk Matrix
Take Relative Risk score and divide into 4 even Pools. Than use pools to determine Mitigation, Defer, or Accept decision. If probabilities are used than create Matrix (Probability of Occurrence x Risk score)
2-16: Responding to Risk
• Risk Reduction / Mitigation• The approach most people consider• Install countermeasures / controls to reduce harm• Makes sense only if risk analysis justifies the
countermeasure / control
• Risk Acceptance• If protecting against a loss would be too expensive,
accept losses when they occur• Good for small, unlikely losses• Good for large but rare losses
Copyright Pearson Prentice-Hall 2010
72
2-16: Responding to Risk
• Risk Transference• Buy insurance against security-related losses• Especially good for rare but extremely damaging attacks• Does not mean a company can avoid working on IT
security• Security in place = Lower Premiums• Bad or Little Security = Not insurable
• Risk Avoidance• Not to take a risky action• Lose the benefits of the action• May cause anger against IT security
Copyright Pearson Prentice-Hall 2010
73
Example
• Hospital Patient Information Database
2-10: Organizational Issues
• Chief Security Officer (CSO)• Also called chief information security officer (CISO)
• Where to Locate IT Security?• Within IT
• Compatible technical skills• CIO will be responsible for security
• Outside of IT• Gives independence
• Hard to blow the whistle on IT and the CIO• This is the most commonly advised choice
• Hybrid• Place planning, policy making, and auditing outside of IT• Place operational aspects such as firewall operation within IT
Copyright Pearson Prentice-Hall 2010
75
2-10: Organizational Issues
• Relationships with Other Departments• Special relationships
• Auditing departments• IT auditing, internal auditing, financial auditing
• Might place security auditing under one of these
• This would give independence from the security function
• Facilities (buildings) management
• Uniformed security
Copyright Pearson Prentice-Hall 2010
76
2-10: Organizational Issues
• Relationships with Other Departments• All corporate departments
• Cannot merely toss policies over the wall
• Business partners• Must link IT corporate systems together
• Before doing so, must exercise due diligence in assessing their security
Copyright Pearson Prentice-Hall 2010
77
2-10: Organizational Issues
• Outsourcing IT Security• Only e-mail or webservice (Figure 2-11)• Managed Security Service Providers (MSSPs)
(Figure 2-12)• Outsource most IT security functions to the MSSP
• But usually not policy
• Example of MSSP Companies (From RSA)
Copyright Pearson Prentice-Hall 2010
78
2-11: E-Mail Outsourcing
Copyright Pearson Prentice-Hall 2010
79
2-12: Managed Security Service Provider (MSSP)
Copyright Pearson Prentice-Hall 2010
80
2-17: Corporate Technical Security Architecture
• Technical Security Architectures• Definition
• All of the company’s technical countermeasures
• And how these countermeasures are organized
• Into a complete system of protection
• Architectural decisions• Based on the big picture
• Must be well planned to provide strong security with few weaknesses
Copyright Pearson Prentice-Hall 2010
81
2-2: The Need for Comprehensive Security
Copyright Pearson Prentice-Hall 2010
82
Aka Defenders Dilemma
2-3: Weakest Link Failure
Copyright Pearson Prentice-Hall 2010
83
A failure in any component will lead to failure for the entire system. Keep in mind this is a single counter-measure (Firewall)
2-17: Corporate Technical Security Architecture
• Principles• Defense in depth
• Resource is guarded by several countermeasures in series
• Attacker must breach them all, in series, to succeed
• If one countermeasure fails, the resource remains safe
Copyright Pearson Prentice-Hall 2010
84
2-17: Corporate Technical Security Architecture
• Principles• Defense in depth versus weakest links
• Defense in depth: multiple independent countermeasures that must be defeated in series
• Weakest link: a single countermeasure with multiple interdependent components that must all succeed for the countermeasure to succeed
Copyright Pearson Prentice-Hall 2010
85
2-17: Corporate Technical Security Architecture
• Principles• Avoiding single points of vulnerability
• Failure at a single point can have drastic consequences
• DNS servers, central security management servers, etc.
Copyright Pearson Prentice-Hall 2010
86
2-17: Corporate Technical Security Architecture
• Principles• Minimizing security burdens• Realistic goals
• Cannot change a company’s protection level overnight
• Mature as quickly as possible
Copyright Pearson Prentice-Hall 2010
87
2-17: Corporate Technical Security Architecture
• Elements of a Technical Security Architecture• Border management• Internal site management• Management of remote connections• Interorganizational systems with other firms• Centralized security management
• Increases the speed of actions
• Reduces the cost of actions
Copyright Pearson Prentice-Hall 2010
88
2-18: Policies
• Policies• Statements of what is to be done• Provides clarity and direction• Does not specify in detail how the policy is to be
implemented in specific circumstances• This allows the best possible implementation at
any time• Vary widely in length
Copyright Pearson Prentice-Hall 2010
89
2-18: Policies
• Tiers of Security Policies• Brief corporate security policy to drive everything• Major policies
• Hiring and firing
• Personally identifiable information
• …
Copyright Pearson Prentice-Hall 2010
90
2-18: Policies
• Tiers of Security Policies• Acceptable use policy
• Summarizes key points of special importance for users
• Typically, must be signed by users
• Policies for specific countermeasures• Again, separates security goals from
implementation
Copyright Pearson Prentice-Hall 2010
91
Policy vs. Laws
• Ignorance of Policy is valid Defense• Criteria for Enforceable Policy
• Dissemination• Policy is readily available to employees
• Review• Policy is intelligible, including different languages and
disabilities• Comprehension
• Employee understood the policy (Quizzes, etc.)• Compliance
• Employee Agrees to comply with policy (written or “click”)• Uniform Enforcement
• Regardless of employee status or position
Copyright Pearson Prentice-Hall 2010
92
2-18: Policies
• Writing Policies• For important policies, IT security cannot act alone
• There should be policy-writing teams for each policy
• For broad policies, teams must include IT security, management in affected departments, the legal department, and so forth
• The team approach gives authority to policies
• It also prevents mistakes because of IT security’s limited viewpoint
Copyright Pearson Prentice-Hall 2010
93
2-19: Policies, Implementation, and Oversight
Copyright Pearson Prentice-Hall 2010
94
2-20: Implementation Guidance
• Types of Implementation Guidance• Procedures: detailed specifications for how
something should be done
• Can be either standards or guidelines
• Segregation of duties: two people are required to complete sensitive tasks
• In movie theaters, one sells tickets and the other takes tickets
• No individual can do damage, although
Copyright Pearson Prentice-Hall 2010
95
2-20: Implementation Guidance
• Types of Implementation Guidance• Request/authorization control
• Limit the number of people who may make requests on sensitive matters
• Allow even fewer to be able to authorize requests
• Authorizer must never be the requester
• Mandatory vacations to uncover schemes that require constant maintenance
• Job rotation to uncover schemes that require constant maintenance
Copyright Pearson Prentice-Hall 2010
96
2-20: Implementation Guidance
• Types of Implementation Guidance• Procedures: detailed descriptions of what should
be done• Processes: less detailed specifications of what
actions should be taken• Necessary in managerial and professional business
function
• Baselines: checklists of what should be done but not the process or procedures for doing them
Copyright Pearson Prentice-Hall 2010
97
2-20: Implementation Guidance
• Types of Implementation Guidance• Best practices: most appropriate actions in other
companies• Recommended practices: normative guidance• Accountability
• Owner of resource is accountable
• Implementing the policy can be delegated to a trustee, but accountability cannot be delegated
• Codes of ethics
Copyright Pearson Prentice-Hall 2010
98
2-21: Ethics
• Ethics• A person’s system of values• Needed in complex situations• Different people may make different decisions in
the same situation• Companies create codes of ethics to give guidance
in ethical decisions
Copyright Pearson Prentice-Hall 2010
99
2-21: Ethics
• Code of Ethics: Typical Contents (Partial List)• Importance of good ethics to have a good workplace
and to avoid damaging a firm’s reputation
• The code of ethics applies to everybody• Senior managers usually have additional requirements
• Improper ethics can result in sanctions, up to termination
• An employee must report observed ethical behavior
Copyright Pearson Prentice-Hall 2010
100
2-21: Ethics
• Code of Ethics: Typical Contents (Partial List)• An employee must involve conflicts of interest
• Never exploit one’s position for personal gain
• No preferential treatment of relatives
• No investing in competitors
• No competing with the company while still employed by the firm
Copyright Pearson Prentice-Hall 2010
101
2-21: Ethics
• Code of Ethics: Typical Contents (Partial List)• No bribes or kickbacks
• Bribes are given by outside parties to get preferential treatment
• Kickbacks are given by sellers when they place an order to secure this or future orders
• Employees must use business assets for business uses only, not personal use
Copyright Pearson Prentice-Hall 2010
102
2-21: Ethics
• Code of Ethics: Typical Contents (Partial List)• An employee may never divulge
• Confidential information
• Private information
• Trade secrets
Copyright Pearson Prentice-Hall 2010
103
2-22: Exception Handling
• Exceptions Are Always Required• But they must be managed
• Limiting Exceptions• Only some people should be allowed to request
exceptions• Fewer people should be allowed to authorize
exceptions• The person who requests an exception must never
be authorizer
Copyright Pearson Prentice-Hall 2010
104
2-22: Exception Handling
• Exception Must be Carefully Documented• Specifically what was done and who did each
action
• Special Attention Should be Given to Exceptions in Periodic Auditing
• Exceptions Above a Particular Danger Level• Should be brought to the attention of the IT
security department and the authorizer’s direct manager
Copyright Pearson Prentice-Hall 2010
105
2-23: Oversight
• Oversight• Oversight is a term for a group of tools for policy
enforcement• Policy drives oversight, just as it drives
implementation
• Promulgation• Communicate vision• Training• Stinging employees?
Copyright Pearson Prentice-Hall 2010
106
2-23: Oversight
• Electronic Monitoring• Electronically-collected information on behavior• Widely done in firms and used to terminate
employees• Warn subjects and explain the reasons for
monitoring
Copyright Pearson Prentice-Hall 2010
107
2-23: Oversight
• Security Metrics• Indicators of compliance that are measured
periodically• Percentage of passwords on a server that are
crackable, etc.• Periodic measurement indicates progress in
implementing a policy
Copyright Pearson Prentice-Hall 2010
108
2-23: Oversight
• Auditing• Samples information to develop an opinion about
the adequacy of controls• Database information in log files and prose
documentation• Extensive recording is required in most
performance regimes• Avoidance of compliance is a particularly
important finding
Copyright Pearson Prentice-Hall 2010
109
2-23: Oversight
• Auditing• Internal and external auditing may be done• Periodic auditing gives trends• Unscheduled audits trip up people who plan their
actions around periodic audits
Copyright Pearson Prentice-Hall 2010
110
2-23: Oversight
• Anonymous Protected Hotline• Often, employees are the first to detect a serious
problem• A hotline allows them to call it in• Must be anonymous and guarantee protection
against reprisals• Offer incentives for heavily damaging activities
such as fraud?
Copyright Pearson Prentice-Hall 2010
111
2-23: Oversight
• Behavioral Awareness• Misbehavior often occurs before serious security
breaches• The fraud triangle indicates motive. (see Figure 2-
24)
Copyright Pearson Prentice-Hall 2010
112
2-23: Oversight
• Vulnerability Tests• Attack your own systems to find vulnerabilities• Free and commercial software• Never test without a contract specifying the exact
tests, signed by your superior• The contract should hold you blameless in case of
damage
Copyright Pearson Prentice-Hall 2010
113
2-23: Oversight
• Vulnerability Tests• External vulnerability testing firms have expertise
and experience• They should have insurance against accidental
harm and employee misbehavior• They should not hire hackers or former hackers• Should end with a list of recommended fixes• Follow-up should be done on whether these fixed
occurred
Copyright Pearson Prentice-Hall 2010
114
2-25: Governance Frameworks
Copyright Pearson Prentice-Hall 2010
115
2-26: COSO• Origins
• Committee of Sponsoring Organizations of the Treadway Commission (www.coso.org)
• Ad hoc group to provide guidance on financial controls
• Focus• Corporate operations, financial controls, and
compliance• Effectively required for Sarbanes–Oxley compliance• Goal is reasonable assurance that goals will be met
Copyright Pearson Prentice-Hall 2010
116
2-26: COSO
• Components• Control Environment
• General security culture
• Includes “tone at the top”
• If strong, weak specific controls may be effective
• If weak, strong controls may fail
• Major insight of COSO
Copyright Pearson Prentice-Hall 2010
117
2-26: COSO
• Components• Risk assessment
• Ongoing preoccupation
• Control activities• General policy plus specific procedures
Copyright Pearson Prentice-Hall 2010
118
2-26: COSO
• Components• Monitoring
• Both human vigilance and technology
• Information and communication• Must ensure that the company has the right
information for controls
• Must ensure communication across all levels in the corporation
Copyright Pearson Prentice-Hall 2010
119
2-27: CobiT
• CobiT• Control Objectives for Information and Related
Technologies• CIO-level guidance on IT governance• Offers many documents that help organizations
understand how to implement the framework
Copyright Pearson Prentice-Hall 2010
120
2-27: CobiT• The CobiT Framework
• Four major domains (Figure 2-26)
Copyright Pearson Prentice-Hall 2010
121
2-27: CobiT
• The CobiT Framework• Four major domains (Figure 2-26)• 34 high-level control objectives
• Planning and organization (11)
• Acquisition and implementation (60)
• Delivery and support (13)
• Monitoring (4)
• More than 300 detailed control objectives
Copyright Pearson Prentice-Hall 2010
122
2-27: CobiT
• Dominance in the United States• Created by the IT governance institute• Which is part of the Information Systems Audit
and Control Association (ISACA)• ISACA is the main professional accrediting body
of IT auditing• Certified information systems auditor (CISA)
certification
Copyright Pearson Prentice-Hall 2010
123
2-29: The ISO/IEC 27000 Family of Security Standards
• ISO/IEC 27000• Family of IT security standards with several individual
standards• From the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC)
• ISO/IEC 27002• Originally called ISO/IEC 17799• Recommendations in 11 broad areas of security
management
Copyright Pearson Prentice-Hall 2010
124
2-29: The ISO/IEC 27000 Family of Security Standards
• ISO/IEC 27002: Eleven Broad Areas
Copyright Pearson Prentice-Hall 2010
125
Security policy Access control
Organization of information security Information systems acquisition, development and maintenance
Asset management Information security incident management
Human resources security Business continuity management
Physical and environmental security Compliance
Communications and operations management
2-29: The ISO/IEC 27000 Family of Security Standards
• ISO/IEC 27001• Created in 2005, long after ISO/IEC 27002• Specifies certification by a third party
• COSO and CobiT permit only self-certification
• Business partners prefer third-party certification
• Other 27000 Standards• Many more 27000 standards documents are under
preparation
Copyright Pearson Prentice-Hall 2010
126
The End
127
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America.
Copyright © 2010 Pearson Education, Inc. Copyright © 2010 Pearson Education, Inc. Publishing as Prentice HallPublishing as Prentice Hall