the information security standards marketplace secstandards lucidi... · the information security...
TRANSCRIPT
1
The InformationSecurity Standards
MarketplaceRichard BaskervilleVisiting ProfessorBocconi University
2
Rather than just a technical decision subject to regulatoryrequirements, IT security standards adoption is a decisiontaken in a complex marketplace of competing standards,competing service providers, competing security designmethods, and competing national and international legislativerequirements, all under the oversight of closely watched auditfirms and government regulators. The audit dependence onstandards in this market inverts the economic decisios forinternal controls in information systems. Without regulatorystandards, risk economics are necessary to justify acquisitionand implementation of controls. With regulatory standards,risk economics are necessary to justify exceptions to theacquisition and implementation of controls. The impact of thiseconomic shift may drive down organizational competitivenessor increase misleading compliance behaviour among ITprofessionals.
Conclusion
3
1. The Information Security StandardsMarketplace
2. Competing National And InternationalLegislative Requirements
3. Competing Standards And CompetingService Providers
4. Audit Firms And Government Regulators5. Reoriented Security Design Methods
Outline
4
The Information Security Standards Marketplace
IT SecurityStandards
IT ServiceProvidersSpecializinginSecurityStandards
National andExtraterritorial
LegislationRegulatory
Bodies
Audit Firms
IT Operations inPublicly Held
Firms
IT SecurityDesign
Processes
IT SecurityOperationProcesses
Competition
Competition
Reoriented
5
Competing National AndInternational Legislative
Requirements
6
P Significant changes to securities lawsor practices
P The wake of corporate financialscandals< Enron< Arthur Andersen< WorldCom
P European Union Council 8th Directive(Expansion)
P Sarbanes-Oxley Act of 2002 (US)P Corporate Law Economic Reform
Program (CLERP 9) (Australia)
Public Company Audit ReformsRestore Investor Confidence in Capital Markets
7
P Establishes a new audit regulatory committee composed of memberstates and chaired by a representative of the European Commission (EC).The committee will assist the EC in establishing the implementationmeasures of the directive
P Auditors or audit firms must:< Be approved and registered in any member state. < Meet continuous education requirements.< Subject to robust professional ethics. < Be independent from the audited company.< Adhere to the International Standards on Auditing.< Meet quality assurance standards.< Be governed by the member state system of investigation and sanctions.< Be subject to public oversight.< Follow relationship procedures with an audited entity.< Disclose an internal governance statement. < Cooperate with the mandated audit committee in financial reporting
EU 8th Directive
Braiotta, Louis (2005) An overview of the EU 8th Directive: the European Union prepares toissue its response to corporate malfeasance Internal Auditor, April,
8
P Enhanced Financial Disclosures< Title IV (Sections 401-409)
P Deals with company responsibilitiesfor periodic financial reports,assessment of internal controls,code of ethics, and other aspects ofdisclosures.
P Section 404: ManagementAssessment Of Internal Controls.
P Requires an “internal control report”< Establish and maintain adequate
internal control structure andprocedures
< Assess their effectiveness
US: Sarbanes-Oxley Act of 2002 (107 H.R. 3763)
(Sarbox or Sox)
Senator Paul Sarbanes and RepresentativeMichael Oxley being congratulated on the 30July 2002 signing of their act after approvalby the House 423-3 and by the Senate 99-0.
9
Deals with the establishment of PCAOB thatregisters and reviews Public Accounting Firmsunder the oversight of SEC, with responsibilityfor investigations and disciplinary actions forbreeches of accounting standards.
Public Company AccountingOversight BoardTitle I (Sections 101 - 109)
10
P Deals with conflicts of interest in business relationshipsof audit firms and steps to unveil such conflicts, likerotating firms and audit partners, reporting to auditcommittee, etc.
P Section 201: Services Outside The Scope Of PracticeOf Auditors; Prohibited Activities. < This section outlaws an audit firm that provides “non-audit
service” to companies during audits, e.g.,< Bookkeeping< Financial information systems design and implementation< Management functions or human resources
Auditor Independence
Title II (Sections 201-209)
11
Deals with company audit committees, andconduct all of officers and directors.
Corporate ResponsibilityTitle III (Sections 301-308)
12
P Deals with company responsibilities for periodicfinancial reports, assessment of internal controls, codeof ethics, and other aspects of disclosures.
P Section 404: Management Assessment Of InternalControls.
P Requires an “internal control report”< establish and maintain adequate internal control structure
and procedures< assess their effectiveness
Enhanced Financial Disclosures
Title IV (Sections 401-409)
13
Deals with conflict of interest rules forexchanges and associations.
Analyst Conflicts of InterestTitle V (Section 501)
14
Deals with budget and authority.
Commission Resources andAuthority
Title VI (Sections 601-604)
15
Deals with government reports.
Studies and ReportsTitle VII (Sections 701-705)
16
Deals with faked or destroyed documents,retention of records, and criminal penalties.
Corporate and Criminal FraudAccountability
Title VIII (Sections 801-807)
17
Increases some criminal penalties,criminalizes record tampering and fraudulentfinancial statements, etc.
White Collar Crime PenaltyEnhancementsTitle IX (Sections 901-906)
18
CEO must sign tax returns
Corporate Tax ReturnsTitle X (Section 1001)
19
Deals with record tampering, impedingofficials, and SEC authority to freezepayments and exclude securities fraudsters ascompany officers.
Corporate Fraud andAccountability
Title XI (Sections 1101-1107)
20
PBusiness processes are now dependent onIT
PThe IT function is crucialPCompliance means< Internal control must map to IT systems< IT systems risks must be reported< IT controls must be tested
Impact on ITWhat has this got to do with information systems?
21
CIO Involvement
(PWC Guidance)
22
Lack of domain knowledge, insular IT culture,and lack of internal control knowledgecombine to create significant weaknesses incontrols and systems developed by IT. (Cannon &Growe, Journal of Corp. Accounting & Finance, 2004)
IT “Sabotage”Bad IT will screw this thing up
23
PBetter utilize internal auditPAdopt comprehensive control frameworkPRaise risk awareness of IT workersPTrain IT on internal controlP Include IT on SOX planning committeesPLoan IT workers to functional departments
Avoiding IT Problems(Cannon & Growe, Journal of Corp. Accounting & Finance,
2004)
24
POutsource IT< Weak company staff< Multiple IT platforms< Management dissatisfaction with internal IT< Internal politics interferes
PTrain CPAs to advise clients on outsourcingof IT< When to outsource< Where to outsource
Or .... Avoiding IT Problems(Lanz & Tie, Journal of Accountancy, 2004)
25
P Ethical purpose similar to Sarbox & EU 8, but softerP Based on disclosure rather than criminalizationP Regulates auditor independence, periodic reporting,
and corporate disclosure and certification of financialreports
P Two systems are similar enough to permit parallelcompliance< SarbOx compliance increases overhead< Some issues in attorney-client confidentiality
P Executives are not required to certify the maintenanceof internal controls to the public< Required to certify to the directors of the company that the
financial statements comply with accounting standardsand represent the true and fair view of the current financialposition of the company
Austalian CLERP 9
26
PThe more restrictive legislative frameworkeffectively override national regulatoryauthorities in other countries
PSarbOx taking precedence over CLERP 9 inparallel compliance situations for companiessubject to US SEC regulations.
PCan extend to outsourcing vendors wherecontrols subject to SarbOx compliancereporting
Extra-Territorial Law
27
PDefine an overall organizational riskmanagement strategy
PAdhere to one of the prevalent IT securitystandards
PDevelop and deploy safeguards and controlsthat provide the optimal combination of risktreatments
PProvide system risk review mechanismsPTest all risk treatments
Impact: Emerging IT RiskManagement Pracitces
Developed in an industry study
28
PEncodes an overall IT securityarchitecture
PCritically consider controls andsafeguards inventory
PE.g., risk analysis to eliminateunnecessary safeguards
PStandard -- risk analysisdialectic
Adhere to One of the Prevalent ITSecurity Standards
29
Competing Standards And Competing ServiceProviders
IT SecurityStandards
IT ServiceProvidersSpecializinginSecurityStandards
National andExtraterritorial
LegislationRegulatory
Bodies
Audit Firms
IT Operations inPublicly Held
Firms
IT SecurityDesign
Processes
IT SecurityOperationProcesses
Competition
Competition
Reoriented
30
P Technical Standards< ISO/IEC 17799,
P Professional Standards< COBIT (Control Objectives for IT), a generally applicable
and accepted standard for good information technologysecurity and control practices in organizations.
P Qualification Criteria< ITSEC, TCSEC, Common Criteria
P Industry Practices and Standards< NIST 800-12 Computer Security Handbook< Payment Card Industry (PCI) Standard< ITIL (IT Infrastructure Library)
Guidance and Standards: Examples
Provide assurance and evidence that proper and responsiblemeasures are present in the organization's systems.
Risk assessment & treatment Security policy Organizational security
Information security infrastructure Security of third-party access Outsourcing
Asset classification and control Accountability for assets Information classification
Human resources security Job definition and resourcing User training Responding to security incidents
Physical and environmental security Secure areas Equipment security
Communications/operations management System planning and acceptance Protection against malicious software
Access control User access management Network access control Operating system access control Application access control
System development and maintenance Security in application systems Cryptographic controls Security of systems files Security in development Security in support processes
Incident management Business continuity management Compliance Legal compliance
Reviews System audit
31
Technical StandardsExample: ISO/IEC 17799
32
ISO/IEC 17799:2005
33
PThe objectives of this section are< To establish a process for identifying major
security threats and vulnerabilities and determinethe potential impact within the context of anorganizations’s business objectives andstrategies.
Risk Assessment & TreatmentISO 17799
34
PPlan: Establish the Information SecurityManagement System (ISMS)
PDo: Implement and operate the ISMSPCheck: Monitor and review the ISMSPAct: Maintain and Improve ISMS
PDCA Model
35
Plan Do Act Check
ISO 17799
Gamma Secure Systemshttp://www.gammassl.co.uk/bs7799/works.html
36
PThe objectives of this section are: < To provide management direction and support for
information security.
Security PolicyISO 17799
37
P The objectives of this section are:< To manage information security
within the Company< To maintain the security of
organizational informationprocessing facilities and informationassets accessed by third parties.
< To maintain the security ofinformation when the responsibilityfor information processing has beenoutsourced to another organization.
Organizational Security
ISO 17799
38
P The objectives of thissection are: < To reduce risks of human
error, theft, fraud or misuseof facilities;
< To ensure that users areaware of information securitythreats and concerns, andare equipped to support thecorporate security policy inthe course of their normalwork;
< To minimise the damagefrom security incidents andmalfunctions and learn fromsuch incidents.
Human Resources Security
ISO 17799
39
P The objectives of this section are: < To ensure the correct and secure
operation of information processingfacilities;
< To minimise the risk of systems failures; < To protect the integrity of software and
information; < To maintain the integrity and availability
of information processing andcommunication;
< To ensure the safeguarding ofinformation in networks and the protectionof the supporting infrastructure;
< To prevent damage to assets andinterruptions to business activities;
< To prevent loss, modification or misuse ofinformation exchanged betweenorganizations.
Communications and Operations Management
ISO 17799
40
P The objectives of this section are: < To control access to information < To prevent unauthorised access to
information systems < To ensure the protection of networked
services < To prevent unauthorized computer
access < To detect unauthorised activities. < To ensure information security when
using mobile computing and tele-networking facilities
Access Control
ISO 17799
41
P The objectives of this section are: < To ensure security is built into operational systems; < To prevent loss, modification or misuse of user data in
application systems; < To protect the confidentiality, authenticity and integrity of
information; < To ensure IT projects and support activities are conducted
in a secure manner; < To maintain the security of application system software
and data.
System Acquisition, Development andMaintenance
ISO 17799
42
P The objectives of this section are:< Establish security incident reporting
processes that ensure promptreporting.
< Ensure that incidents lead to correctiveactions.
< Establish security event escalationprocesses.
< Establish contractor and third partyreporting processes.
Information Security Incident Management
ISO 17799
43
PThe objectives of this section are: < To counteract interruptions to business activities
and to critical business processes from the effectsof major failures or disasters.
Business Continuity ManagementISO 17799
44
P The objectives of this section are: < To avoid breaches of any criminal or
civil law, statutory, regulatory orcontractual obligations and of anysecurity requirements
< To ensure compliance of systemswith organizational security policiesand standards
< To maximize the effectiveness of andto minimize interference to/from thesystem audit process.
Compliance
ISO 17799
45
P The objectives of this sectionare: < To prevent unauthorised
access, damage andinterference to businesspremises and information;
< To prevent loss, damage orcompromise of assets andinterruption to businessactivities;
< To prevent compromise ortheft of information andinformation processingfacilities.
Physical and Environmental Security
ISO 17799
46
PThe objectives of this sectionare: < To maintain appropriate
protection of corporate assetsand
< To ensure that informationassets receive an appropriatelevel of protection.
Asset Classification and ControlISO 17799
47
This standard has evolved toward thedevelopment of management systems forinformation security and provides a strongerbasis for third party audit and certification. Itoffers a managerially-oriented complement tothe technologically-oriented ISO 17799.
ISO/IEC 27001:2005Update of BS 7799
48
Professional StandardsExample: CobIT
49
CobIT Architecture
(adapted from "CobIT--Overview" 2005)
Monitoring
Delivery &Support
Planning &Organization
Acquisition &Implementation
IT Resources
Information
Business Objectives &IT Governance
ControlObjectives
ControlObjectives
ControlObjectives
ControlObjectives
50
CobIT
51
Industry Practices &Standards
Examples: NIST 800-12
PCIITIL
52
NIST Computer Security Handbook
Special Publication 800-12
53
P SP 800-12 An Introduction to Computer Security: The NIST Handbook,October1995
P SP 800-14 Generally Accepted Principles and Practices for Securing InformationTechnology Systems, September 1996
P SP 800-18 Guide for Developing Security Plans for Information TechnologySystems, December 1998
P SP 800-26 Security Self-Assessment Guide for Information TechnologySystems,November 2001
P SP 800-30 Risk Management Guide for Information Technology Systems, July2002
P SP 800-33 Underlying Technical Models for Information Technology Security,December 2001
P SP 800-34 Contingency Planning Guide for Information Technology Systems, June2002
P SP 800-55 Security Metrics Guide for Information Technology Systems,July 2003P SP 800-65 Integrating Security into the Capital Planning and Investment Control
Process, January 2005
NIST Computer Security Division
http://csrc.nist.gov/publications/nistpubs/
54
P Accountability - The responsibilities and accountability of owners, providers and users ofinformation systems and other parties...should be explicit.
P Awareness - Owners, providers, users and other parties should readily be able, consistentwith maintaining security, to gain appropriate knowledge of and be informed about theexistence and general extent of measures...for the security of information systems.
P Ethics - The Information systems and the security of information systems should be providedand used in such a manner that the rights and legitimate interest of others are respected.
P Multidisciplinary - Measures, practices and procedures for the security of information systemsshould take account of and address all relevant considerations and viewpoints....
P Proportionality - Security levels, costs, measures, practices and procedures should beappropriate and proportionate to the value of and degree of reliance on the informationsystems and to the severity, probability and extent of potential harm....
P Integration - Measures, practices and procedures for the security of information systemsshould be coordinated and integrated with each other and other measures, practices andprocedures of the organization so as to create a coherent system of security.
P Timeliness - Public and private parties, at both national and international levels, should act ina timely coordinated manner to prevent and to respond to breaches of security of informationsystems.
P Reassessment - The security of information systems should be reassessed periodically, asinformation systems and the requirements for their security vary over time.
P Democracy - The security of information systems should be compatible with the legitimateuse and flow of data and information in a democratic society.
NIST SP 800-14 Reference Model
OECD's Guidelines for the Security of Information Systems
Process Areas Strategic Level
Tactical Level
Operational Level
Availability management Incident management Problem management Change management Release management Availability management Financial management Service-level management
55
P Build and Maintain a Secure Network< Install and maintain a firewall configuration to protect data< Do not use vendor-supplied defaults for system passwords and other security
parametersP Protect Cardholder Data< Protect stored data< Encrypt transmission of cardholder data and sensitive information across public
networksP Maintain a Vulnerability Management Program< Use and regularly update anti-virus software< Develop and maintain secure systems and applications
P Implement Strong Access Control Measures< Restrict access to data by business need-to-know< Assign a unique ID to each person with computer access< Restrict physical access to cardholder data
P Regularly Monitor and Test Networks< Track and monitor all access to network resources and cardholder data< Regularly test security systems and processes.
P Maintain an Information Security Policy< Maintain a policy that addresses information security
Payment Card Industry Data Security Standard
56
PBest practices and guidelines for managinginformation technology services
P Integrated, process-based approach POriginated as a 1980's UK government drivePFocus on quality, efficient, cost-effective
delivery of IT services
ITILIT Infrastructure Library
57
P Software asset managementP Service supportP Service deliveryP Planning to implement service managementP ICT infrastructure managementP Application managementP Security managementP The business perspective
Major ITIL Volumes
58
ITIL Structure
“Best Practices”
59
P Security Management Products< Policies< Processes< Procedures< Work instructions
ITIL Securiity
Initial SecurityEffort: Risk
AnalysisSecurity
Requirements
MinimumSecurityBaseline
RequirementsFeasibilityAnalysis
Negotiate &Define SLA
SLA
Negotiate &Define OLA
Customer
IT ServiceOrg.
OLAImplementMonitor
Report
Modify
adapted from Weil, Steven, (2004) "How ITIL Can Improve InformationSecurity" Security Focus (http://www.securityfocus.com/infocus/1815)
60
Audit Firms And Government Regulators
IT SecurityStandards
IT ServiceProvidersSpecializinginSecurityStandards
National andExtraterritorial
LegislationRegulatory
Bodies
Audit Firms
IT Operations inPublicly Held
Firms
IT SecurityDesign
Processes
IT SecurityOperationProcesses
Competition
Competition
Reoriented
61
PSarbOx-driven audit firms reviewingassessment processes for internal controls< Was ISO/IEC 17799 or CobIT the better choice?< Firms cannot consult, only review
PPCAOB an indirect factor: ensuring thatorganizational decisions about standardsadoption are made independently from anexternal auditor.
Audit Firms And GovernmentRegulators
62
Reoriented Security Design Methods
IT SecurityStandards
IT ServiceProvidersSpecializinginSecurityStandards
National andExtraterritorial
LegislationRegulatory
Bodies
Audit Firms
IT Operations inPublicly Held
Firms
IT SecurityDesign
Processes
IT SecurityOperationProcesses
Competition
Competition
Reoriented
63
Security Design Context of Risk Analysis
So many safeguards . . .
We can’t afford to include allof them . . .
But which?
64
Generic Security Design Model
Second Generation Methods
Identify and evaluatesystem assets
Identify and evaluatethreats
Identify possiblecontrols
Risk analysis
Prioritize controls forimplementation
Implement andmaintain controls
Scenarios
Standardsor Models
65
Security Design ModelExample: Octave
66
POperationally Critical Threat, Asset, andVulnerability Evaluation
PConsiders both organizational andtechnological issues
PFocused on organizational strategy andpractice
PDriven by operational risks and securitypractices
OctaveCarnegie Mellon Software Engineering Institute
67
Octave Process(From Christopher Alberts, Audrey Dorofee, James Stevens, Carol Woody, Introduction to the
OCTAVE® Approach, August 2003, Software Engineering Institute,http://www.cert.org/octave/pubs.html)
68
P Phase 1: Build Asset-Based Threat Profiles < Process 1: Identify Senior Management Knowledge < Process 2: Identify Operational Area Knowledge< Process 3: Identify Staff Knowledge< Process 4: Create Threat Profiles
P Phase 2: Identify Infrastructure Vulnerabilities < Process 5: Identify Key Components< Process 6: Evaluate Selected Components
P Phase 3: Develop Security Strategy and Plans< Process 7: Conduct Risk Analysis< Process 8: Develop Protection Strategy
Octave Method
69
PRisk analysis < Default decision: adopt no safeguards< Risk analysis economically justifies adoption of
safeguard PStandards< Default decision: adopt all safeguards< Justify in audit decisions not-to-adopt safeguard
Risk Analysis and Standards:Opposing Approaches
70
The Information Security Standards Marketplace
IT SecurityStandards
IT ServiceProvidersSpecializinginSecurityStandards
National andExtraterritorial
LegislationRegulatory
Bodies
Audit Firms
IT Operations inPublicly Held
Firms
IT SecurityDesign
Processes
IT SecurityOperationProcesses
Competition
Competition
Reoriented
71
Rather than just a technical decision subject to regulatoryrequirements, IT security standards adoption is a decisiontaken in a complex marketplace of competing standards,competing service providers, competing security designmethods, and competing national and international legislativerequirements, all under the oversight of closely watched auditfirms and government regulators. The audit dependence onstandards in this market inverts the economic decisios forinternal controls in information systems. Without regulatorystandards, risk economics are necessary to justify acquisitionand implementation of controls. With regulatory standards,risk economics are necessary to justify exceptions to theacquisition and implementation of controls. The impact of thiseconomic shift may drive down organizational competitivenessor increase misleading compliance behaviour among ITprofessionals.
Conclusion
72
The InformationSecurity Standards
MarketplaceRichard BaskervilleVisiting ProfessorBocconi University