Presentation is loading. Please wait.

Presentation is loading. Please wait.

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Enforcing Business Rules and Information Security Policies through.

Similar presentations


Presentation on theme: "April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Enforcing Business Rules and Information Security Policies through."— Presentation transcript:

1 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Enforcing Business Rules and Information Security Policies through Compliance Audits Frederick Yip, Pradeep Ray, Nandan Paramesh School of Computer Science & Engineering School of Information Systems & IT Management University of New South Wales Sydney, Australia

2 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Outline Background – What the industry are doing? Problem – What are the challenges? Motivation – How these challenges motivated the research? XISSF – Compliance Mechanism Limitations & Future Work – Holistic Framework Conclusion

3 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Background Ever-increasing pressure and responsibilities for organizations to fulfill the requirements enforced by different regulations By actively assessing corporate security compliance base on renowned standards, guidelines and best practices, e.g. CobiT, ISO secure trust and recognitions from customers and business partners US$15.5 Billion in 2005 US$5.8 Billion for Sarbanes Oxley Alone in 2005 Estimated to exceed US$80 billion over the next 5 years on Compliance Spending HIPAA affects organizations that maintain medical health information New! European 8 th Directive – SOX Equivalent in EU – Currently in Draft Mode

4 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Standards CobiT v3, CobiT v4 Control Objectives for Information and related Technology ISO/IEC17799:2000, ISO/IEC17799:2005 Information technology - Security techniques - Code of practice for information security management AS/NZ17799:2001 Information technology - Code of practice for information security management BSI IT Baseline Protection Manual BS7799, ISO27001 Information Technology - Security Techniques - Information Security Management Systems – Requirement

5 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales The Problem Multi-regulation 3 out of 4 organizations must comply with 2 or more regulations 43% organizations must comply with 3 or more regulations Too many standards – which one should you use? Regulations Organization Structure Jurisdiction Industry Auditor Standards are different Some overlapping Changes from time to time (versions) Manual Process – Time Consuming Co-ordination and co-operation from Business Units Subjective

6 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Compliance Process Traditional Checklists Legislation and regulation are ambiguous to IT The need for a common Infosec specification format that can be distributed to other Business Units What about multiple information security standards? The need for a uniform way of checking compliance to policies and best practices The need for a uniform way to report audit and compliance results

7 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales eXtensible Information Security Specification Format (XISSF) What is it? Common Infosec specification format and platform - not vendor or firm specific Based on XML Textual descriptions of the security clauses or safeguards within Infosec standards are restructured and codified XISSF is capable of: Encapsulating and segregating the clauses extracted from different textual standards Heterogeneous format of clauses from multiple standards can be encapsulated in a single XISSF document. Transportable between business units - across a global business. Express information security specification explicitly – decreases ambiguity. Uniform way of checking compliance to policies and best practices A machine interpretable format for computer-aided assessment on security compliance.

8 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales XISSF Foundation for providing automated support for compliance audits. Addresses the problem of heterogeneous information security standards Agent can be designed to perform routine and subjective tasks based on XISSF – mobile agents and multi-agents systems. Tags Enclosed weighting metric for each checkpoint in the clauses for audit and assessment purposes. Atomic actionable questions or statements identified as checkpoints. XISSF GROUP CLAUSE GROUP CHECKPOINT OBJECTIVE CHECKPOINT CLAUSE CHECKPOINT OBJECTIVE CHECKPOINT description, weight, required threat type, constraints, pre-requisites, … due, reminder, reference … id, required, role … title, pre-req… description, weight, required threat type, constraints, pre-requisites, …

9 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Regulations/Standards/Clauses/Checkpoints

10 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Sample Clause - ISO Information security policy document Control An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. Implementation guidance The information security policy document should state management commitment and set out the organizations approach to managing information security. The policy document should contain statements concerning: a) a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing (see introduction); b) a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives; c) a framework for setting control objectives and controls, including the structure of risk assessment and risk management; …. draft XISSF Sample XISSF - eXtensible Information Security Specification Format. This document defines a list of security specification policies that should be enforced on the organization. This can vary from technical policies to abstract business level processes. ISO17799 International Standard Organization ISO17799: Information security policy document An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. The information security policy document should state management commitment and set out the organizations approach to managing information security. The policy document should contain statements concerning a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing. The policy document should contain statements concerning a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives; …

11 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Scenario HIPAA

12 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Limitation & Future Work Preliminary in nature but essential for any future work Checkpoints currently in English – Human Intervention Improve automation Ontology based Schema for each governance standard Application of Concept Learning/Extraction Methodologies for IT Standards Assessment Strategy Based on XISSF Agent Based Compliance Management based on XISSF

13 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales The Big Picture Interface Agent Interface Agent Involvement

14 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Conclusion An approach and mechanism to express explicit information security requirements and compliance audits in a codified format. Increase portability especially for global business Provided a foundation to enable computer assisted compliance auditing. Normalization of XISSF decreases redundant compliance tasks and identify conflicts Reduce interaction time in compliance time, improve efficiency Better modularization to segregate compliance tasks Role-based Ability to consolidate and extend multiple & heterogeneous infosec specifications The process of compliance is an important component of ensuring IT security controls are employed and used correctly. It is a continuous effort!


Download ppt "April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Enforcing Business Rules and Information Security Policies through."

Similar presentations


Ads by Google