the information security standards marketplace secstandards lucidi... · the information security...

1

The InformationSecurity Standards

MarketplaceRichard BaskervilleVisiting ProfessorBocconi University

2

Rather than just a technical decision subject to regulatoryrequirements, IT security standards adoption is a decisiontaken in a complex marketplace of competing standards,competing service providers, competing security designmethods, and competing national and international legislativerequirements, all under the oversight of closely watched auditfirms and government regulators. The audit dependence onstandards in this market inverts the economic decisios forinternal controls in information systems. Without regulatorystandards, risk economics are necessary to justify acquisitionand implementation of controls. With regulatory standards,risk economics are necessary to justify exceptions to theacquisition and implementation of controls. The impact of thiseconomic shift may drive down organizational competitivenessor increase misleading compliance behaviour among ITprofessionals.

Conclusion

3

1. The Information Security StandardsMarketplace

2. Competing National And InternationalLegislative Requirements

3. Competing Standards And CompetingService Providers

4. Audit Firms And Government Regulators5. Reoriented Security Design Methods

Outline

4

The Information Security Standards Marketplace

IT SecurityStandards

IT ServiceProvidersSpecializinginSecurityStandards

National andExtraterritorial

LegislationRegulatory

Bodies

Audit Firms

IT Operations inPublicly Held

Firms

IT SecurityDesign

Processes

IT SecurityOperationProcesses

Competition

Competition

Reoriented

5

Competing National AndInternational Legislative

Requirements

6

P Significant changes to securities lawsor practices

P The wake of corporate financialscandals< Enron< Arthur Andersen< WorldCom

P European Union Council 8th Directive(Expansion)

P Sarbanes-Oxley Act of 2002 (US)P Corporate Law Economic Reform

Program (CLERP 9) (Australia)

Public Company Audit ReformsRestore Investor Confidence in Capital Markets

7

P Establishes a new audit regulatory committee composed of memberstates and chaired by a representative of the European Commission (EC).The committee will assist the EC in establishing the implementationmeasures of the directive

P Auditors or audit firms must:< Be approved and registered in any member state. < Meet continuous education requirements.< Subject to robust professional ethics. < Be independent from the audited company.< Adhere to the International Standards on Auditing.< Meet quality assurance standards.< Be governed by the member state system of investigation and sanctions.< Be subject to public oversight.< Follow relationship procedures with an audited entity.< Disclose an internal governance statement. < Cooperate with the mandated audit committee in financial reporting

EU 8th Directive

Braiotta, Louis (2005) An overview of the EU 8th Directive: the European Union prepares toissue its response to corporate malfeasance Internal Auditor, April,

8

P Enhanced Financial Disclosures< Title IV (Sections 401-409)

P Deals with company responsibilitiesfor periodic financial reports,assessment of internal controls,code of ethics, and other aspects ofdisclosures.

P Section 404: ManagementAssessment Of Internal Controls.

P Requires an “internal control report”< Establish and maintain adequate

internal control structure andprocedures

< Assess their effectiveness

US: Sarbanes-Oxley Act of 2002 (107 H.R. 3763)

(Sarbox or Sox)

Senator Paul Sarbanes and RepresentativeMichael Oxley being congratulated on the 30July 2002 signing of their act after approvalby the House 423-3 and by the Senate 99-0.

9

Deals with the establishment of PCAOB thatregisters and reviews Public Accounting Firmsunder the oversight of SEC, with responsibilityfor investigations and disciplinary actions forbreeches of accounting standards.

Public Company AccountingOversight BoardTitle I (Sections 101 - 109)

10

P Deals with conflicts of interest in business relationshipsof audit firms and steps to unveil such conflicts, likerotating firms and audit partners, reporting to auditcommittee, etc.

P Section 201: Services Outside The Scope Of PracticeOf Auditors; Prohibited Activities. < This section outlaws an audit firm that provides “non-audit

service” to companies during audits, e.g.,< Bookkeeping< Financial information systems design and implementation< Management functions or human resources

Auditor Independence

Title II (Sections 201-209)

11

Deals with company audit committees, andconduct all of officers and directors.

Corporate ResponsibilityTitle III (Sections 301-308)

12

P Deals with company responsibilities for periodicfinancial reports, assessment of internal controls, codeof ethics, and other aspects of disclosures.

P Section 404: Management Assessment Of InternalControls.

P Requires an “internal control report”< establish and maintain adequate internal control structure

and procedures< assess their effectiveness

Enhanced Financial Disclosures

Title IV (Sections 401-409)

13

Deals with conflict of interest rules forexchanges and associations.

Analyst Conflicts of InterestTitle V (Section 501)

14

Deals with budget and authority.

Commission Resources andAuthority

Title VI (Sections 601-604)

15

Deals with government reports.

Studies and ReportsTitle VII (Sections 701-705)

16

Deals with faked or destroyed documents,retention of records, and criminal penalties.

Corporate and Criminal FraudAccountability

Title VIII (Sections 801-807)

17

Increases some criminal penalties,criminalizes record tampering and fraudulentfinancial statements, etc.

White Collar Crime PenaltyEnhancementsTitle IX (Sections 901-906)

18

CEO must sign tax returns

Corporate Tax ReturnsTitle X (Section 1001)

19

Deals with record tampering, impedingofficials, and SEC authority to freezepayments and exclude securities fraudsters ascompany officers.

Corporate Fraud andAccountability

Title XI (Sections 1101-1107)

20

PBusiness processes are now dependent onIT

PThe IT function is crucialPCompliance means< Internal control must map to IT systems< IT systems risks must be reported< IT controls must be tested

Impact on ITWhat has this got to do with information systems?

21

CIO Involvement

(PWC Guidance)

22

Lack of domain knowledge, insular IT culture,and lack of internal control knowledgecombine to create significant weaknesses incontrols and systems developed by IT. (Cannon &Growe, Journal of Corp. Accounting & Finance, 2004)

IT “Sabotage”Bad IT will screw this thing up

23

PBetter utilize internal auditPAdopt comprehensive control frameworkPRaise risk awareness of IT workersPTrain IT on internal controlP Include IT on SOX planning committeesPLoan IT workers to functional departments

Avoiding IT Problems(Cannon & Growe, Journal of Corp. Accounting & Finance,

2004)

24

POutsource IT< Weak company staff< Multiple IT platforms< Management dissatisfaction with internal IT< Internal politics interferes

PTrain CPAs to advise clients on outsourcingof IT< When to outsource< Where to outsource

Or .... Avoiding IT Problems(Lanz & Tie, Journal of Accountancy, 2004)

25

P Ethical purpose similar to Sarbox & EU 8, but softerP Based on disclosure rather than criminalizationP Regulates auditor independence, periodic reporting,

and corporate disclosure and certification of financialreports

P Two systems are similar enough to permit parallelcompliance< SarbOx compliance increases overhead< Some issues in attorney-client confidentiality

P Executives are not required to certify the maintenanceof internal controls to the public< Required to certify to the directors of the company that the

financial statements comply with accounting standardsand represent the true and fair view of the current financialposition of the company

Austalian CLERP 9

26

PThe more restrictive legislative frameworkeffectively override national regulatoryauthorities in other countries

PSarbOx taking precedence over CLERP 9 inparallel compliance situations for companiessubject to US SEC regulations.

PCan extend to outsourcing vendors wherecontrols subject to SarbOx compliancereporting

Extra-Territorial Law

27

PDefine an overall organizational riskmanagement strategy

PAdhere to one of the prevalent IT securitystandards

PDevelop and deploy safeguards and controlsthat provide the optimal combination of risktreatments

PProvide system risk review mechanismsPTest all risk treatments

Impact: Emerging IT RiskManagement Pracitces

Developed in an industry study

28

PEncodes an overall IT securityarchitecture

PCritically consider controls andsafeguards inventory

PE.g., risk analysis to eliminateunnecessary safeguards

PStandard -- risk analysisdialectic

Adhere to One of the Prevalent ITSecurity Standards

29

Competing Standards And Competing ServiceProviders





Bodies

Audit Firms


Firms

IT SecurityDesign

Processes


Competition

Competition

Reoriented

30

P Technical Standards< ISO/IEC 17799,

P Professional Standards< COBIT (Control Objectives for IT), a generally applicable

and accepted standard for good information technologysecurity and control practices in organizations.

P Qualification Criteria< ITSEC, TCSEC, Common Criteria

P Industry Practices and Standards< NIST 800-12 Computer Security Handbook< Payment Card Industry (PCI) Standard< ITIL (IT Infrastructure Library)

Guidance and Standards: Examples

Provide assurance and evidence that proper and responsiblemeasures are present in the organization's systems.

Risk assessment & treatment Security policy Organizational security

Information security infrastructure Security of third-party access Outsourcing

Asset classification and control Accountability for assets Information classification

Human resources security Job definition and resourcing User training Responding to security incidents

Physical and environmental security Secure areas Equipment security

Communications/operations management System planning and acceptance Protection against malicious software

Access control User access management Network access control Operating system access control Application access control

System development and maintenance Security in application systems Cryptographic controls Security of systems files Security in development Security in support processes

Incident management Business continuity management Compliance Legal compliance

Reviews System audit

31

Technical StandardsExample: ISO/IEC 17799

32

ISO/IEC 17799:2005

33

PThe objectives of this section are< To establish a process for identifying major

security threats and vulnerabilities and determinethe potential impact within the context of anorganizations’s business objectives andstrategies.

Risk Assessment & TreatmentISO 17799

34

PPlan: Establish the Information SecurityManagement System (ISMS)

PDo: Implement and operate the ISMSPCheck: Monitor and review the ISMSPAct: Maintain and Improve ISMS

PDCA Model

35

Plan Do Act Check

ISO 17799

Gamma Secure Systemshttp://www.gammassl.co.uk/bs7799/works.html

36

PThe objectives of this section are: < To provide management direction and support for

information security.

Security PolicyISO 17799

37

P The objectives of this section are:< To manage information security

within the Company< To maintain the security of

organizational informationprocessing facilities and informationassets accessed by third parties.

< To maintain the security ofinformation when the responsibilityfor information processing has beenoutsourced to another organization.

Organizational Security

ISO 17799

38

P The objectives of thissection are: < To reduce risks of human

error, theft, fraud or misuseof facilities;

< To ensure that users areaware of information securitythreats and concerns, andare equipped to support thecorporate security policy inthe course of their normalwork;

< To minimise the damagefrom security incidents andmalfunctions and learn fromsuch incidents.

Human Resources Security

ISO 17799

39

P The objectives of this section are: < To ensure the correct and secure

operation of information processingfacilities;

< To minimise the risk of systems failures; < To protect the integrity of software and

information; < To maintain the integrity and availability

of information processing andcommunication;

< To ensure the safeguarding ofinformation in networks and the protectionof the supporting infrastructure;

< To prevent damage to assets andinterruptions to business activities;

< To prevent loss, modification or misuse ofinformation exchanged betweenorganizations.

Communications and Operations Management

ISO 17799

40

P The objectives of this section are: < To control access to information < To prevent unauthorised access to

information systems < To ensure the protection of networked

services < To prevent unauthorized computer

access < To detect unauthorised activities. < To ensure information security when

using mobile computing and tele-networking facilities

Access Control

ISO 17799

41

P The objectives of this section are: < To ensure security is built into operational systems; < To prevent loss, modification or misuse of user data in

application systems; < To protect the confidentiality, authenticity and integrity of

information; < To ensure IT projects and support activities are conducted

in a secure manner; < To maintain the security of application system software

and data.

System Acquisition, Development andMaintenance

ISO 17799

42

P The objectives of this section are:< Establish security incident reporting

processes that ensure promptreporting.

< Ensure that incidents lead to correctiveactions.

< Establish security event escalationprocesses.

< Establish contractor and third partyreporting processes.

Information Security Incident Management

ISO 17799

43

PThe objectives of this section are: < To counteract interruptions to business activities

and to critical business processes from the effectsof major failures or disasters.

Business Continuity ManagementISO 17799

44

P The objectives of this section are: < To avoid breaches of any criminal or

civil law, statutory, regulatory orcontractual obligations and of anysecurity requirements

< To ensure compliance of systemswith organizational security policiesand standards

< To maximize the effectiveness of andto minimize interference to/from thesystem audit process.

Compliance

ISO 17799

45

P The objectives of this sectionare: < To prevent unauthorised

access, damage andinterference to businesspremises and information;

< To prevent loss, damage orcompromise of assets andinterruption to businessactivities;

< To prevent compromise ortheft of information andinformation processingfacilities.

Physical and Environmental Security

ISO 17799

46

PThe objectives of this sectionare: < To maintain appropriate

protection of corporate assetsand

< To ensure that informationassets receive an appropriatelevel of protection.

Asset Classification and ControlISO 17799

47

This standard has evolved toward thedevelopment of management systems forinformation security and provides a strongerbasis for third party audit and certification. Itoffers a managerially-oriented complement tothe technologically-oriented ISO 17799.

ISO/IEC 27001:2005Update of BS 7799

48

Professional StandardsExample: CobIT

49

CobIT Architecture

(adapted from "CobIT--Overview" 2005)

Monitoring

Delivery &Support

Planning &Organization

Acquisition &Implementation

IT Resources

Information

Business Objectives &IT Governance

ControlObjectives

ControlObjectives

ControlObjectives

ControlObjectives

50

CobIT

51

Industry Practices &Standards

Examples: NIST 800-12

PCIITIL

52

NIST Computer Security Handbook

Special Publication 800-12

53

P SP 800-12 An Introduction to Computer Security: The NIST Handbook,October1995

P SP 800-14 Generally Accepted Principles and Practices for Securing InformationTechnology Systems, September 1996

P SP 800-18 Guide for Developing Security Plans for Information TechnologySystems, December 1998

P SP 800-26 Security Self-Assessment Guide for Information TechnologySystems,November 2001

P SP 800-30 Risk Management Guide for Information Technology Systems, July2002

P SP 800-33 Underlying Technical Models for Information Technology Security,December 2001

P SP 800-34 Contingency Planning Guide for Information Technology Systems, June2002

P SP 800-55 Security Metrics Guide for Information Technology Systems,July 2003P SP 800-65 Integrating Security into the Capital Planning and Investment Control

Process, January 2005

NIST Computer Security Division

http://csrc.nist.gov/publications/nistpubs/

54

P Accountability - The responsibilities and accountability of owners, providers and users ofinformation systems and other parties...should be explicit.

P Awareness - Owners, providers, users and other parties should readily be able, consistentwith maintaining security, to gain appropriate knowledge of and be informed about theexistence and general extent of measures...for the security of information systems.

P Ethics - The Information systems and the security of information systems should be providedand used in such a manner that the rights and legitimate interest of others are respected.

P Multidisciplinary - Measures, practices and procedures for the security of information systemsshould take account of and address all relevant considerations and viewpoints....

P Proportionality - Security levels, costs, measures, practices and procedures should beappropriate and proportionate to the value of and degree of reliance on the informationsystems and to the severity, probability and extent of potential harm....

P Integration - Measures, practices and procedures for the security of information systemsshould be coordinated and integrated with each other and other measures, practices andprocedures of the organization so as to create a coherent system of security.

P Timeliness - Public and private parties, at both national and international levels, should act ina timely coordinated manner to prevent and to respond to breaches of security of informationsystems.

P Reassessment - The security of information systems should be reassessed periodically, asinformation systems and the requirements for their security vary over time.

P Democracy - The security of information systems should be compatible with the legitimateuse and flow of data and information in a democratic society.

NIST SP 800-14 Reference Model

OECD's Guidelines for the Security of Information Systems

Process Areas Strategic Level

Tactical Level

Operational Level

Availability management Incident management Problem management Change management Release management Availability management Financial management Service-level management

55

P Build and Maintain a Secure Network< Install and maintain a firewall configuration to protect data< Do not use vendor-supplied defaults for system passwords and other security

parametersP Protect Cardholder Data< Protect stored data< Encrypt transmission of cardholder data and sensitive information across public

networksP Maintain a Vulnerability Management Program< Use and regularly update anti-virus software< Develop and maintain secure systems and applications

P Implement Strong Access Control Measures< Restrict access to data by business need-to-know< Assign a unique ID to each person with computer access< Restrict physical access to cardholder data

P Regularly Monitor and Test Networks< Track and monitor all access to network resources and cardholder data< Regularly test security systems and processes.

P Maintain an Information Security Policy< Maintain a policy that addresses information security

Payment Card Industry Data Security Standard

56

PBest practices and guidelines for managinginformation technology services

P Integrated, process-based approach POriginated as a 1980's UK government drivePFocus on quality, efficient, cost-effective

delivery of IT services

ITILIT Infrastructure Library

57

P Software asset managementP Service supportP Service deliveryP Planning to implement service managementP ICT infrastructure managementP Application managementP Security managementP The business perspective

Major ITIL Volumes

58

ITIL Structure

“Best Practices”

59

P Security Management Products< Policies< Processes< Procedures< Work instructions

ITIL Securiity

Initial SecurityEffort: Risk

AnalysisSecurity

Requirements

MinimumSecurityBaseline

RequirementsFeasibilityAnalysis

Negotiate &Define SLA

SLA

Negotiate &Define OLA

Customer

IT ServiceOrg.

OLAImplementMonitor

Report

Modify

adapted from Weil, Steven, (2004) "How ITIL Can Improve InformationSecurity" Security Focus (http://www.securityfocus.com/infocus/1815)

60

Audit Firms And Government Regulators





Bodies

Audit Firms


Firms

IT SecurityDesign

Processes


Competition

Competition

Reoriented

61

PSarbOx-driven audit firms reviewingassessment processes for internal controls< Was ISO/IEC 17799 or CobIT the better choice?< Firms cannot consult, only review

PPCAOB an indirect factor: ensuring thatorganizational decisions about standardsadoption are made independently from anexternal auditor.

Audit Firms And GovernmentRegulators

62

Reoriented Security Design Methods





Bodies

Audit Firms


Firms

IT SecurityDesign

Processes


Competition

Competition

Reoriented

63

Security Design Context of Risk Analysis

So many safeguards . . .

We can’t afford to include allof them . . .

But which?

64

Generic Security Design Model

Second Generation Methods

Identify and evaluatesystem assets

Identify and evaluatethreats

Identify possiblecontrols

Risk analysis

Prioritize controls forimplementation

Implement andmaintain controls

Scenarios

Standardsor Models

65

Security Design ModelExample: Octave

66

POperationally Critical Threat, Asset, andVulnerability Evaluation

PConsiders both organizational andtechnological issues

PFocused on organizational strategy andpractice

PDriven by operational risks and securitypractices

OctaveCarnegie Mellon Software Engineering Institute

67

Octave Process(From Christopher Alberts, Audrey Dorofee, James Stevens, Carol Woody, Introduction to the

OCTAVE® Approach, August 2003, Software Engineering Institute,http://www.cert.org/octave/pubs.html)

68

P Phase 1: Build Asset-Based Threat Profiles < Process 1: Identify Senior Management Knowledge < Process 2: Identify Operational Area Knowledge< Process 3: Identify Staff Knowledge< Process 4: Create Threat Profiles

P Phase 2: Identify Infrastructure Vulnerabilities < Process 5: Identify Key Components< Process 6: Evaluate Selected Components

P Phase 3: Develop Security Strategy and Plans< Process 7: Conduct Risk Analysis< Process 8: Develop Protection Strategy

Octave Method

69

PRisk analysis < Default decision: adopt no safeguards< Risk analysis economically justifies adoption of

safeguard PStandards< Default decision: adopt all safeguards< Justify in audit decisions not-to-adopt safeguard

Risk Analysis and Standards:Opposing Approaches

70

The Information Security Standards Marketplace





Bodies

Audit Firms


Firms

IT SecurityDesign

Processes


Competition

Competition

Reoriented

71

Rather than just a technical decision subject to regulatoryrequirements, IT security standards adoption is a decisiontaken in a complex marketplace of competing standards,competing service providers, competing security designmethods, and competing national and international legislativerequirements, all under the oversight of closely watched auditfirms and government regulators. The audit dependence onstandards in this market inverts the economic decisios forinternal controls in information systems. Without regulatorystandards, risk economics are necessary to justify acquisitionand implementation of controls. With regulatory standards,risk economics are necessary to justify exceptions to theacquisition and implementation of controls. The impact of thiseconomic shift may drive down organizational competitivenessor increase misleading compliance behaviour among ITprofessionals.

Conclusion

72

The InformationSecurity Standards

MarketplaceRichard BaskervilleVisiting ProfessorBocconi University

the information security standards marketplace secstandards lucidi... · the information security...

Documents