Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Security-Assessment.com 2004 Security Governance and Regulatory Controls by Peter Benson.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright Security-Assessment.com 2004 Security Governance and Regulatory Controls by Peter Benson."— Presentation transcript:

1 Copyright Security-Assessment.com 2004 Security Governance and Regulatory Controls by Peter Benson

2 Copyright Security-Assessment.com 2004 Agenda ISO/IEC AS/NZS 17799 SIGS Sarbanes Oxley CIS COBiT Others

3 Copyright Security-Assessment.com 2004 General Issues Controls considered to be essential to an organization from a legislative point of view include: – data protection and privacy of personal information – safeguarding of organizational records – intellectual property rights Audit and Compliance key issues

4 Copyright Security-Assessment.com 2004 Trends Continuous Auditing Continuous Assurance Changing Regulatory Environment Security as a Business Requirement Benchmarking Security Metrics Information Leakage / Information Asset Management Hacking for Pirating / Spam Phishing

5 Copyright Security-Assessment.com 2004 Security Success Factors Security policy, objectives and activities that reflect business objectives; Consistent Security Implementation Approach; Management Buy-in – Visibility and Support; Security Requirements, Risk Assessment and Risk Management understood; Security Marketing; Policy and Standards Distribution; Training and education; Measurement and Improvement Systems.

6 Copyright Security-Assessment.com 2004 ISO 17799 Business Requirements Reasonable level of Uptake Compliance rather than Certification Guideline rather than Prescription Gap Analysis and Roadmaps

7 Copyright Security-Assessment.com 2004 ISO 17799 coverage Security Policy Organisational Security Asset Classification and Control Personnel Security Physical and Environmental Security Communications and Operations Management Access Control Systems Development and Maintenance Business Continuity and Management Compliance

8 Copyright Security-Assessment.com 2004 SIGS Designed for government departments and agencies, State Owned Enterprises and Crown Entities, however may be applicable to companies working with Government May be Mandatory Based on the Joint Australian New Zealand Standard AS/NZ ISO/IEC 17799:2001 Risk Analysis and Management aligned to AS/NZS 4360:1999 - Risk Management Some content drawn from Australia’s “Commonwealth Protective Security Manual”, and the United Kingdom's “Manual of Protective Security”.

9 Copyright Security-Assessment.com 2004 Sarbanes – Oxley Section 404 Y2K on Steroids Typically under-reaction to over-reaction Required for any company wanting to work in the US Based around Financial Accounting and Audit, but… High focus on Best Practice for IT – COBiT adopted – ISO 17799 Compliance / Auditability against reasonable / best practice high on agenda 3 rd Party Auditing issues

10 Copyright Security-Assessment.com 2004 COBiT Control Objectives and Audit Guidelines NOT a set of audit controls or specifics Not information Security Specific; generally accepted reasonable practice

11 Copyright Security-Assessment.com 2004 SSE-CMM

12 Copyright Security-Assessment.com 2004 SSE-CMM Measurement

13 Copyright Security-Assessment.com 2004 CIS Benchmarks Generally Considered “Reasonable Practice” Strong use in Compliance Testing www.cisecurity.org

14 Copyright Security-Assessment.com 2004 Emerging Issues Australian Commerce Act Fair Trading Act (AUS) Civil (Tort) Law (Duty of Care, Negligence) Contingent Liability (Hacked Systems) New Zealand Crimes Act Accountability but not necessarily Responsibility (outsourcing) Process Auditability (Do what you say you do) Compliance Management and Security Metrics

15 Copyright Security-Assessment.com 2004 Common Themes in NZ Organisations Federated business models Lack of centralised decision making or effective delegation Insufficient buy-in (Metrics and Marketing!) Security and Risk disconnect Lack of effective compliance testing Lack of compliance performance analysis Delegation of Responsibility – but abrogating Accountability

16 Copyright Security-Assessment.com 2004 Directions to Consider Documented processes and process auditibility Compliance Management Vulnerability Management / Continuous Auditing Security SLA’s Manage Security Performance against Benchmarks / Baselines MEASURE SECURITY (and Market it!)

17 Copyright Security-Assessment.com 2004 Questions?

Download ppt "Copyright Security-Assessment.com 2004 Security Governance and Regulatory Controls by Peter Benson."

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
“Limiting electronic fraud through an Information Security Management System (ISMS): An Introduction to ISO 27001 Presented to the ICGFM Annual Conference.

“Limiting electronic fraud through an Information Security Management System (ISMS): An Introduction to ISO 27001" Presented to the ICGFM Annual Conference.
1 Information Security Standards Gary Gaskell © 2001.

1 Information Security Standards Gary Gaskell © 2001.
Security Controls – What Works

Security Controls – What Works
Tomas Pivoras - EMS experience1 Environmental management systems – experience from Lithuania Tomas Pivoras Kaunas University of Technology.

Tomas Pivoras - EMS experience1 Environmental management systems – experience from Lithuania Tomas Pivoras Kaunas University of Technology.
Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.

Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS

IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
What SMS means for an Operator’s relationship with the CAA

What SMS means for an Operator’s relationship with the CAA
Licensing & Regulation Division Senior Sergeant Brett Kahan Presentation to the Association of Investigators & Security Professionals.

Licensing & Regulation Division Senior Sergeant Brett Kahan Presentation to the Association of Investigators & Security Professionals.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google