We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJaliyah Hooton
Modified about 1 year ago
© 2002 Protiviti Inc. | 1| 1 Securing your Corporate Infrastructure What is really needed to keep your assets protected Joseph Burkard – CISA, CISSP October 3, 2002
| 2| 2 © 2002 Protiviti Inc. Securing your Corporate Infrastructure Management Dilemma — or — Technical Problem Security Awareness Corporate Governance Firewall DMZ Layered Defense Intrusion Detection Authentication Hacker Digital Signatures Denial of Service Policies & Procedures Anti-Virus Physical Security Non-Repudiation Internal Controls Integrity Vulnerability Testing Confidentiality Accountability Availability Device Hardening Litigation Access Controls Security Program Security Organization Risk Assessment Wireless VPN Privacy PKI Worms Tokens Cyber Terrorism ISO 17799 GLBA HIPAA
| 3| 3 © 2002 Protiviti Inc. Securing your Corporate Infrastructure Security is Complex! Traditional Obstacles –IT expenditure Only –Security is an event driven industry –Not same as other operational risks –Won’t happen to us!
| 4| 4 © 2002 Protiviti Inc. New Information Security Drivers 1.Significant Threats – 9/11/01 2.Recent Vulnerabilities – Code Red, Nimda 3.Increased Oversight – Enron, WorldCom
© 2002 Protiviti Inc. | 5| 5 Increased Oversight and Compliance
| 6| 6 © 2002 Protiviti Inc. Increased Oversight and Compliance GovernanceDateTypeIndustry 1.HIPPA8/1996Security & PrivacyHealthcare 2.GLB5/2000Security & PrivacyFinancial Services 3.IIA—NACD 2000Security Governance Corporations 4.GISRA6/2001Security StandardsGovernment 5.FERC7/2002Security StandardsEnergy 6.Sarbanes—Oxley 8/2002Internal controlsPublicly traded companies 7.NYSE & NASDAQ 8/2002Internal controlsPublicly traded companies 8.National Strategy9/2002Secure Cyberspace5 Levels, Corp & Gov
| 7| 7 © 2002 Protiviti Inc. Information Security Governance IIA—NACD: What Directors Need to Know Historically boards and senior management looked at Security as a tactical IT issue. But the IIA, in collaboration with the NACD, AICPA and ISACA have recently challenged this perspective with key governance questions*: 1.Accountability 2.Awareness 3.Ethics 4.Inclusion 5.Resource Allocation 6.Thoroughness 7.Effectiveness 8.Ongoing Assessment 9.Compliance 10.Information Sharing * Source: Information Security Governance: What Directors Need to Know. The Institute of Internal Auditors (IIA)
| 8| 8 © 2002 Protiviti Inc. Information Security Governance GISRAFERC—Standards for Electric Market Participants Participants must have a basic Security Program covering governance, planning, prevention, operations, incident response, and business continuity. Security standards for electric systems and physical security These security standards shall become effective on January 1, 2004. Failure to comply will result in loss of direct access to privileges to the electric market. Senior management is responsible for the Security Program
| 9| 9 © 2002 Protiviti Inc. Internal Controls Sarbanes—Oxley Requires CEO and CFO to file internal control report Increases SEC oversight and penalties CEO and CFO must certify quarterly or annual reports NYSE & NASDAQ Corporate codes of conduct required Internal audit function mandated CEO certification required
| 10 © 2002 Protiviti Inc. Information Security Governance Questions corporate boards, financial analysts and investors should ask: 1.Who is responsible for IT security, and to whom is he/she directly accountable? 2.Do the CEO and COO review IT security? 3.What internal IT security policies exist? 4.Are the security controls sufficient? Recommendations: Enterprise-wide corporate security councils Regular independent IT security audits Chief Information Security Officer (CISO) IT continuity plans regularly reviewed The National Strategy to Secure Cyberspace
© 2002 Protiviti Inc. | 11 Securing your Corporate Infrastructure What is really needed to keep your assets protected?
| 12 © 2002 Protiviti Inc. Develop Security Program There are three goals for Security within an organization: Confidentiality Integrity Availability These goals can be met with: Proper governance A Security Program
| 13 © 2002 Protiviti Inc. Develop Security Program Security Lifecycle Use the Security Lifecycle to ensure realistic and enforceable policies, and prioritize security objectives. –Security is a Process –Security requires a full enterprise perspective –The Security Lifecycle provides a framework –Security Policies, Standards, Procedures and Metrics form the core of a Security Program SNCi Guide to Lifecycle Security TM
| 14 © 2002 Protiviti Inc. Develop Security Program 1.Enlist Senior Management Support 2.Define Security Objectives 3.Create Security Strategy or Vision 4.Develop Tactical Security Program
| 15 © 2002 Protiviti Inc. Develop Security Program Senior Management Commitment –An acknowledgement of the importance of the computing resources to the business model –A statement of support for information security throughout the enterprise –A commitment to authorize and manage the definition of the lower level standards, procedures, and guidelines
| 16 © 2002 Protiviti Inc. Develop Security Program Security Strategy & Plan The model to the right lays the groundwork for designing, implementing and maintaining a comprehensive security framework. The strategy and plan encompass People, Process and Technology Builds consensus among each of the stakeholders The elements of Knowledge Sharing, Best Practices, Metrics, Methodologies, and Skill Sets provide the groundwork for implementing a security framework. –The biggest issue is the lack of a comprehensive enterprise security strategy Best Practices Metrics/ MeasuresMethodology Sharing Strategy & Plan Skills Sets Technology Processes People
| 17 © 2002 Protiviti Inc. Develop Security Program Strategy The strategy is a high-level statement that defines the targeted state of Information Security for the organization, and how the targeted state of security can be reached. Must be specific to the organization Plan –Provides an overview of the security requirements and describes the controls –Delineates responsibilities and expected behavior of all individuals –Documents the structured process of planning adequate, cost-effective security protection for a system.
| 18 © 2002 Protiviti Inc. Develop Security Program People –Identify roles, responsibilities and accountability for all critical information assets –Determine whether it is appropriately staffed and whether the structure is appropriate for support of business objectives Process –Define, document, communicate and practice Security Management functions –Develop and standardize security policies Technology –Identify the technology the IT organization uses to protect access to its network resources –Identify the metrics to measure the performance of Security Management –Develop technical security standards –Identify additional security products and solutions
| 19 © 2002 Protiviti Inc. Develop Security Program Security Policies –Forms the basis or foundation for the security framework (i.e. people, process, technology) –Communicates management’s business intent and formulates consensus throughout the organization –Communicates to stakeholders that company management understands their duty –Choose a policy structure that is appropriate given your size and company culture –Delineate responsibilities and expected behavior of all individuals who access the organization’s systems. –Suggest ways to increase security policy awareness throughout the organization
| 20 © 2002 Protiviti Inc. Process - The human element in a security program Applications - The business software providing access to data Data Management - Backend databases housing data Platform - Operating systems and hardware supporting applications Network - Access to applications and network elements Physical - Access to facilities and physical elements Strategies and policies ensure that business risks are effectively managed and communicated to relevant parties Processes and controls should be in place to detect and respond to security alerts and events Technical architectures and solutions should be designed and operated to provide effective solutions to security threats Changes to the technical environment should not create weaknesses in the security architecture Develop Security Program Information Security Framework SM (ISF) Our approach to managing security risk uses Protiviti’s proprietary Information Security Framework SM (ISF). The framework is based on the simple concept of balance: that information security risk management techniques should create a balance between the cost and nature of controls implemented and the benefit of risks assessed and controlled.
© 2002 Protiviti Inc. | 21 Summary
| 22 © 2002 Protiviti Inc. Summary Security is Complex! Governance = Accountability Security is a Process Enlist Senior Management Support Define Security Objectives Create Security Strategy or Vision Develop Tactical Security Program People, Process and Technology Security Policies and Awareness
© 2002 Protiviti Inc. | 23 Introducing Protiviti: Who we are We are a leading provider of completely independent business and technology risk consulting and internal audit services
| 24 © 2002 Protiviti Inc. Business facts Protiviti has offices in 25 major U.S. markets, with more than 750 experienced professionals. We specialize in helping clients identify, measure and manage operational and technology-related risks within their industries and throughout their systems and processes. Our fields of specialization within Technology Risk Management include: –Security and Privacy –Business Systems Control and Effectiveness –disaster recovery / Disaster Recovery –Information Systems Testing –Reliability and Performance –IT Asset Management –Project Management –Change Management –IT Optimization We are a subsidiary of Robert Half International Inc., the world’s leading specialized staffing and consulting services firm, with 2001 revenues of $2.5 billion. Our parent company was named one of “America’s Most Admired Companies” by Fortune magazine for fourth straight year. Also, RHI has featured on Forbes Platinum 400 list of the best big companies in America, also for the fourth consecutive year. For more information, visit our website at www.protiviti.comwww.protiviti.com
| 25 © 2002 Protiviti Inc. Joseph Burkard, CISA, CISSP Background Joe is a Senior Manager in Protiviti’s Milwaukee office. He has over seven years experience in information technology, the last three with Andersen prior to Protiviti. He has been an IS security and risk consultant, network engineer and system administrator. He has developed security architecture and methodologies, performed numerous security related risk assessment audits and has managed system installation and application integration projects. He is a Certified Information Systems Auditor (CISA) and Certified Information Security Systems Professional (CISSP). Relevant Experience Information Security Project Risk Management IT Risk Assessment Infrastructure Management Internal and IS Audit Representative Clients Briggs & Stratton Commercial Federal Bank Kohler Lands’ End Manpower Newell-Rubbermaid PepsiAmericas Roundy’s SC Johnson Sprint United Health Group Certifications Certified Information Systems Auditor (CISA) Certified Information Systems Security Professional (CISSP) Fellow, Life Management Institute (FLMI)
Security Controls – What Works Southside Virginia Community College: Security Awareness.
Accounting and Information Systems: a powerful combination.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
SEC835 Database and Web application security Information Security Architecture.
GETTING TO KNOW INTERNAL AUDITING THE PROFESSION THAT MAKES A DIFFERENCE Presenter: Organization Date Presentation is complements of The IIA Academic Relations.
Information Security Policies and Standards Bryan McLaughlin Information Security Officer Creighton University
Chapter 18 Internal Auditing and Outsourcing. Define Internal Auditing Internal auditing is an independent and objective assurance and consulting activity.
Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch February 4, 2010.
The NIST Special Publications for Security Management By: Waylon Coulter.
Complying With The Federal Information Security Act (FISMA)
WELCOME Annual Meeting & Compliance Seminar. Code of Conduct - Impact on Corporate Culture by Andy Greenstein Knight Capital Group, Inc.
1 Sarbanes-Oxley Section 404 June 29, SOX 404 Background 3 SOX 404 Goals 4 SOX 404 Requirements 5 SOX 404 Assertions 6 SOX 404 Compliance.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
TELLEFSEN AND COMPANY, L.L.C. SEC Regulation SCI and Automation Review Policy Compliance March 2013 Proprietary and Confidential.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Chapter 10 Accounting Information Systems and Internal Controls Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
CISA : Chapter #1The Information Systems Audit Process1.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Copyright © 2015 Pearson Education, Inc. Control and Accounting Information Systems Chapter
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Security Governance Technology Executive Club Patti Suarez, CISSP Global Information Security Manager Wm. Wrigley Jr. Company.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
0 Glencoe Accounting Unit 6 Chapter 29 Copyright © by The McGraw-Hill Companies, Inc. All rights reserved. Unit 6 Additional Accounting Topics Chapter.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Chapter 5 Internal Control over Financial Reporting Copyright © 2010 South-Western/Cengage Learning.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
Cybersecurity in Ohio David A. Brown Chief Information Security Officer State of Ohio.
1 Pertemuan 3 Auditing Standards and Responsibilities Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The CPA Profession Chapter 2.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Everyone’s Been Hacked Now What?. OakRidge What happened?
© 2017 SlidePlayer.com Inc. All rights reserved.