1. Planning Chapter 2

2. Orientation The first chapter focused on threats The rest of the book focuses on defense In this chapter, we will see that defensive thinking is build around the plan-protect-respond cycle In this chapter, we will focus on planning Chapters 3 to 8 focus on protection (day-by-day defense) Chapter 9 focuses on response Copyright Pearson Prentice-Hall 2010 2

3. But First Mr. Swartz Copyright Pearson Prentice-Hall 2010 3

4. Illegal? Illegal - 30 Legal – 1ish Unethical - 16 Copyright Pearson Prentice-Hall 2010 4

5. JSTOR Early Journal Content Journal content in JSTOR published prior to 1923 in the United States and prior to 1870 elsewhere freely available to anyone, anywhere in the world Register & Read give researchers read-only access to some journal articles, no payment required Users won’t be able to download the articles Access only three at a time minimum viewing time frame of 14 days per article The Register & Read beta is an exciting next step that we are taking, working closely with our publisher partners who own this content.” Copyright Pearson Prentice-Hall 2009 5

6. Computer Fraud and Abuse Act Pertains to Financial and Government Computers Pertains to affecting interstate commerce or communication Knowingly accessing a computer without authorization in order to obtain national security data Intentionally accessing a computer without authorization to obtain: Information contained in a financial record of a financial institution, or contained in a file of a consumer reporting agency on a consumer. Information from any department or agency of the United States Information from any protected computer if the conduct involves an interstate or foreign communication Intentionally accessing without authorization a government computer and affecting the use of the government's operation of the computer. Knowingly accessing a protected computer with the intent to defraud and there by obtaining anything of value. Knowingly causing the transmission of a program, information, code, or command that causes damage or intentionally accessing a computer without authorization, and as a result of such conduct, causes damage that results in: Loss to one or more persons during any one-year period aggregating at least $5,000 in value. The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals. Physical injury to any person. A threat to public health or safety.Damage affecting a government computer system Knowingly and with the intent to defraud, trafficking in a password or similar information through which a computer may be accessed without authorization. Copyright Pearson Prentice-Hall 2009 6

7. 2-9: Legal Driving Forces Privacy Protection Laws The European Union (E.U.) Data Protection Directive of 2002 Many other nations have strong commercial data privacy laws The U.S. Gramm–Leach–Bliley Act (GLBA) The U.S. Health Information Portability and Accountability Act (HIPAA) for private data in health care organizations Copyright Pearson Prentice-Hall 2010 7

8. 2-9: Legal Driving Forces Data Breach Notification Laws California’s SB 1386 Requires notification of any California citizen whose private information is exposed Companies cannot hide data breaches anymore Federal Trade Commission (FTC) Can punish companies that fail to protect private information Fines and required external auditing for several years Copyright Pearson Prentice-Hall 2010 8

9. California Senate Bill 24  Since 2002, California law has required data holders to notify individuals if their data is lost or stolen.  The new law, however, requires each notice to contain in "plain language” ◦ name and contact information of the data holder ◦ types of personal information compromised by the breach ◦ Brief description of the incident ◦ contact information for the major credit reporting agencies ◦ whether the notification was delayed as a result of an investigation by law enforcement. Copyright Pearson Prentice-Hall 2010 9

10. 2-9: Legal Driving Forces Industry Accreditation For hospitals, etc. Often have to security requirements PCS-DSS Payment Card Industry–Data Security Standards Applies to all firms that accept credit cards Has 12 general requirements, each with specific subrequirements Copyright Pearson Prentice-Hall 2010 10

11. 2-9: Legal Driving Forces FISMA Federal Information Security Management Act of 2002 Processes for all information systems used or operated by a U.S. government federal agencies Also by any contractor or other organization on behalf of a U.S. government agency Certification, followed by accreditation Continuous monitoring Criticized for focusing on documentation instead of protection Copyright Pearson Prentice-Hall 2010 11

12. 2-9: Legal Driving Forces Compliance Laws and Regulations Compliance laws and regulations create requirements for corporate security Documentation requirements are strong Identity management requirements tend to be strong Compliance can be expensive There are many compliance laws and regulations, and the number is increasing rapidly Copyright Pearson Prentice-Hall 2010 12

13. 2-9: Legal Driving Forces Sarbanes–Oxley Act of 2002 Massive corporate financial frauds in 2002 Act requires firm to report material deficiencies in financial reporting processes Material deficiency a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected Copyright Pearson Prentice-Hall 2010 13

14. 2-9: Legal Driving Forces Sarbanes–Oxley Act of 2002 Report material control deficiencies in the financial reporting process Copyright Pearson Prentice-Hall 2010 14

15. Back to Planning Copyright Pearson Prentice-Hall 2010 15

16. 2-1: Management is the Hard Part Technology Is Concrete Can visualize devices and transmission lines Can understand device and software operation But we can’t just focus on the concrete vs. the abstract Management Is Abstract Management Is More Important Security is a process, not a product (Bruce Schneier) Copyright Pearson Prentice-Hall 2010 16

17. What to Protect? Databases and Servers – easy to identify Organizational Processes – less so Financial Reporting (should be easier for Accountants) New Product Development (ie. I.P) Copyright Pearson Prentice-Hall 2010 17

18. 2-4: Security Management Is a Disciplined Process Complex Cannot be managed informally Need Formal Processes Planned series of actions in security management Annual planning Processes for planning and developing individual countermeasures Must be Continuous Must meet legal and other compliance regulations Thus… Copyright Pearson Prentice-Hall 2010 18

19. 2-5: The Plan-Protect-Respond Cycle for Security Management Copyright Pearson Prentice-Hall 2010 19 Dominates security management thinking

20. 2-7: Vision Security as an Enabler Security is often thought of as a preventer But security is also an enabler If a company has good security, it can do things otherwise impossible Engage in interorganizational systems with other firms (Dell, Wal Mart) Can use SNMP SET commands to manage their systems remotely Must get in early on projects to reduce inconvenience Copyright Pearson Prentice-Hall 2010 20

21. 2-8: Strategic IT Security Planning Identify Current IT Security Gaps Identify Driving Forces The threat environment Compliance laws and regulations Corporate structure changes, such as mergers Identify Corporate Resources Needing Protection Enumerate all resources Rate each by sensitivity Copyright Pearson Prentice-Hall 2010 21

22. 2-8: Strategic IT Security Planning Develop Remediation Plans Develop a remediation plan for all security gaps Develop a remediation plan for every resource unless it is well protected Develop an Investment Portfolio You cannot close all gaps immediately Choose projects that will provide the largest returns Implement these Copyright Pearson Prentice-Hall 2010 22

23. 2-13: Risk Analysis Realities Can never eliminate risk “Information assurance” is impossible Risk Analysis Goal is reasonable risk Risk analysis weighs the probable cost of compromises against the costs of countermeasures Also, security has negative side effects that must be weighed Copyright Pearson Prentice-Hall 2010 23

24. 2-13: Risk Analysis Single Loss Expectancy (SLE) Asset Value (AV) X Exposure Factor (EF) Percentage lost in asset value if a compromise occurs = Single Loss Expectancy (SLE) Expected loss in case of a compromise Annualized Loss Expectancy (ALE) SLE X Annualized Rate of Occurrence (ARO) Annual probability of a compromise = Annualized Loss Expectancy (ALE) Expected loss per year from this type of compromise Copyright Pearson Prentice-Hall 2010 24

25. 2-14: Classic Risk Analysis Calculation Copyright Pearson Prentice-Hall 2010 25 Base Case Countermeasure A Asset Value (AV)$100,000 Exposure Factor (EF)80%20% Single Loss Expectancy (SLE): = AV*EF$80,000$20,000 Annualized Rate of Occurrence (ARO)50% Annualized Loss Expectancy (ALE): = SLE*ARO$40,000$10,000 ALE Reduction for CountermeasureNA$30,000 Annualized Countermeasure CostNA$17,000 Annualized Net Countermeasure ValueNA$13,000 Countermeasure A should reduce the exposure factor by 75%

26. 2-14: Classic Risk Analysis Calculation Copyright Pearson Prentice-Hall 2010 26 Base Case Countermeasure B Asset Value (AV)$100,000 Exposure Factor (EF)80% Single Loss Expectancy (SLE): = AV*EF$80,000 Annualized Rate of Occurrence (ARO)50%25% Annualized Loss Expectancy (ALE): = SLE*ARO$40,000$20,000 ALE Reduction for CountermeasureNA$20,000 Annualized Countermeasure CostNA$4,000 Annualized Net Countermeasure ValueNA$16,000 Counter measure B should cut the frequency of compromises in half

27. 2-14: Classic Risk Analysis Calculation Copyright Pearson Prentice-Hall 2010 27 Base Case Countermeasure AB Asset Value (AV)$100,000 Exposure Factor (EF)80%20%80% Single Loss Expectancy (SLE): = AV*EF$80,000$20,000$80,000 Annualized Rate of Occurrence (ARO)50% 25% Annualized Loss Expectancy (ALE): = SLE*ARO$40,000$10,000$20,000 ALE Reduction for CountermeasureNA$30,000$20,000 Annualized Countermeasure CostNA$17,000$4,000 Annualized Net Countermeasure ValueNA$13,000$16,000 Although Countermeasure A reduces the ALE more, Countermeasure B is much less expensive. The annualized net countermeasure value for B is larger. The company should select countermeasure B. Although Countermeasure A reduces the ALE more, Countermeasure B is much less expensive. The annualized net countermeasure value for B is larger. The company should select countermeasure B.

28. 2-15: Problems with Classic Risk Analysis Calculations Uneven Multiyear Cash Flows For both attack costs and defense costs Must compute the return on investment (ROI) using discounted cash flows Net present value (NPV) or internal rate of return (ROI) Copyright Pearson Prentice-Hall 2010 28

29. 2-15: Problems with Classic Risk Analysis Calculations Total Cost of Incident (TCI) Exposure factor in classic risk analysis assumes that a percentage of the asset is lost In most cases, damage does not come from asset loss For instance, if personally identifiable information is stolen, the cost is enormous but the asset remains Must compute the total cost of incident (TCI) Include the cost of repairs, lawsuits, and many other factors Copyright Pearson Prentice-Hall 2010 29

30. 2-15: Problems with Classic Risk Analysis Calculations Many-to-Many Relationships between Countermeasures and Resources Classic risk analysis assumes that one countermeasure protects one resource Single countermeasures, such as a firewall, often protect many resources Single resources, such as data on a server, are often protected by multiple countermeasures Extending classic risk analysis is difficult Copyright Pearson Prentice-Hall 2010 30

31. 2-15: Problems with Classic Risk Analysis Calculations Impossibility of Knowing the Annualized Rate of Occurrence There simply is no way to estimate this This is the worst problem with classic risk analysis As a consequence, firms often merely rate their resources by risk level Copyright Pearson Prentice-Hall 2010 31

32. 2-15: Problems with Classic Risk Analysis Calculations Problems with “Hard-Headed Thinking” Security benefits are difficult to quantify If only support “hard numbers” may underinvest in security Copyright Pearson Prentice-Hall 2010 32

33. 2-15: Problems with Classic Risk Analysis Calculations Perspective Impossible to do perfectly Must be done as well as possible Identifies key considerations Works if countermeasure value is very large or very negative But never take classic risk analysis seriously Copyright Pearson Prentice-Hall 2010 33

34. Risk Management OCTAVE Allegro

35. OCTAVE Operationally Critical Threat, Asset, Vulnerability Evaluation

36. Risk The combination of a threat (a condition) and the resulting impact of the threat if acted upon (a consequence).

37. OCTAVE Methodology for identifying and evaluating security risks develop qualitative risk evaluation criteria that describe the organization’s operational risk tolerances identify assets that are important to the mission of the organization identify vulnerabilities and threats to those assets determine and evaluate the potential consequences to the organization if threats are realized

38. OCTAVE Methodologies OCTAVE OCTAVE-S OCTAVE-Allegro

39. OCTAVE For large Organizations >300 employees have a multi-layered hierarchy maintain their own computing infrastructure have the ability to run vulnerability evaluation tools have the ability to interpret the results of vulnerability evaluations performed in a series of workshops conducted and facilitated by an interdisciplinary analysis team drawn from business units throughout the organization (e.g. senior management, operational area managers, and staff) and members of the IT department [Alberts 2002]. Phase I Organizational View Identify important information assets Phase II Technological View Supplement Threat Analysis Phase III Strategy and Plan Risk Identification Risk Mitigation

40. OCTAVE-S For Small Manufacturing Companies performed by an analysis team that has extensive knowledge of the organization designed to include a limited examination of infrastructure risks No vulnerability testing (or limited)

41. OCTAVE Allegro Broad Assessment of Operational Risk Environment Focus on Information Assets How they are used Where they are used Where they are stored, transported, & processed How are they exposed to Threats, Vulnerabilities & Disruptions

42. 8 Steps / 4 Phases Step1: Establish Risk Measurement Criteria Step2: Develop Information Asset Profile Step 3: Identify Information Asst Containers Step 4: Identify Areas of Concern Step 5: Identify Threat Scenarios Step 6: Identify Risks Step 7: Analyze Risks Step 8: Select Mitigation Approach Establish DriversProfile AssetsIdentify ThreatsIdentify/Mitigate Risks The outputs of each step are recorded in a worksheet and become inputs for the next step

43. Step 1 Establish Risk Measurement Criteria Risk Measurement Criteria Determined: Qualitative Measure Used to evaluate effect of Risk Forms information asset risk assessment Rank Significance of Impact Area E.g. Customers vs. Compliance

46. The most important category should receive the highest score and the least important the lowest.

47. Step 2: Develop Information Asset Profile Information Asset information or data that is of value to the organization Can exist in physical form (on paper, CDs, or other media) or Electronically (stored in databases, in files, on personal computers). Describe Assets: unique features, qualities, characteristics, and value unambiguous definition of the asset’s boundaries security requirements for the asset are adequately defined Confidentiality, Integrity, Availability

48. Step 2: Select Critical Information Assets Focus on “critical few” Which would have the largest impact on your organization, based on the Risk Measurement if: The asset or assets were disclosed to unauthorized people. The asset or assets were modified without authorization. The asset or assets were lost or destroyed. Access to the asset or assets was interrupted.

50. Step 3: Identify Information Asset Containers Places where Information Assets are: Stored Processed Transported Three Types of Containers Technical: hardware, software, application systems, servers, and networks or Physical: file folders (where information is stored in written form) People (who may carry around important information such as intellectual property). Containers are both Internal to the Organization and External an organization must identify all of the locations where its information assets are stored, transported, or processed, whether or not they are within the organization’s direct control. Containers Risks are inherited by Information Assets within them

51. Step 3: Security of Information Asset Containers Controls are at the Container level Security depends on how well the control reflects security requirements of container Any vulnerabilities or threats to a Container is inherited by the Information Asset inside

55. Step 4: Identify Areas of Concern Identify Conditions that can threaten information assets Not intended to be an exhaustive list of all Threats Rather a list of threats that are immediately thought of

57. Step 5: Identify Threat Scenarios Areas of Concern are expanded into Threat Scenarios Actor Involved Means Motive Outcome Security Requirements From Threat Scenario Questionnaires Probability of Occurrence High, Medium, Low

63. For Any Yes from the questionnaire Create an Information Asset Risk Worksheet

64. Step 6: Identify Risks Determine Consequences if Threat Occurs More than one consequence is possible Reputation Consequence Financial Consequence Threat (condition) + Impact (consequence) = Risk [Steps 4 and 5] + [Step 6] = Risk

66. Step 7: Analyze Risk Compute Quantitative Measure of Risk Using Consequence and Relative Importance of Impact Area High = 3, Medium = 2 or Low = 1 Probability (if used)

67. The scores generated in this activity are only meant to be used as a prioritization tool. Differences between risk scores are not considered to be relevant. In other words, a score of 48 means that the risk is relatively more important to the organization than a score of 25, but there is no importance to the difference of 13 points.

68. Step 8: Select Mitigation Approach First, Prioritize Risks based on Risk Score (7) Mitigation strategies are developed that consider the value of the asset The Assets security requirements The containers in which it lives The organization’s unique operating environment.

69. Types of Mitigation Accept Take no action, risk has low or zero impact Mitigate Develop controls to counter risk Defer Gather more information and re-analyze in the future

70. Risk Matrix Take Relative Risk score and divide into 4 even Pools. Than use pools to determine Mitigation, Defer, or Accept decision. If probabilities are used than create Matrix (Probability of Occurrence x Risk score)

72. 2-16: Responding to Risk Risk Reduction / Mitigation The approach most people consider Install countermeasures / controls to reduce harm Makes sense only if risk analysis justifies the countermeasure / control Risk Acceptance If protecting against a loss would be too expensive, accept losses when they occur Good for small, unlikely losses Good for large but rare losses Copyright Pearson Prentice-Hall 2010 72

73. 2-16: Responding to Risk Risk Transference Buy insurance against security-related losses Especially good for rare but extremely damaging attacks Does not mean a company can avoid working on IT security Security in place = Lower Premiums Bad or Little Security = Not insurable Risk Avoidance Not to take a risky action Lose the benefits of the action May cause anger against IT security Copyright Pearson Prentice-Hall 2010 73

74. Example Hospital Patient Information Database

75. 2-10: Organizational Issues Chief Security Officer (CSO) Also called chief information security officer (CISO) Where to Locate IT Security? Within IT Compatible technical skills CIO will be responsible for security Outside of IT Gives independence Hard to blow the whistle on IT and the CIO This is the most commonly advised choice Hybrid Place planning, policy making, and auditing outside of IT Place operational aspects such as firewall operation within IT Copyright Pearson Prentice-Hall 2010 75

76. 2-10: Organizational Issues Relationships with Other Departments Special relationships Auditing departments IT auditing, internal auditing, financial auditing Might place security auditing under one of these This would give independence from the security function Facilities (buildings) management Uniformed security Copyright Pearson Prentice-Hall 2010 76

77. 2-10: Organizational Issues Relationships with Other Departments All corporate departments Cannot merely toss policies over the wall Business partners Must link IT corporate systems together Before doing so, must exercise due diligence in assessing their security Copyright Pearson Prentice-Hall 2010 77

78. 2-10: Organizational Issues Outsourcing IT Security Only e-mail or webservice (Figure 2-11) Managed Security Service Providers (MSSPs) (Figure 2-12) Outsource most IT security functions to the MSSP But usually not policy Example of MSSP Companies (From RSA)MSSP Companies Copyright Pearson Prentice-Hall 2010 78

79. 2-11: E-Mail Outsourcing Copyright Pearson Prentice-Hall 2010 79

80. 2-12: Managed Security Service Provider (MSSP) Copyright Pearson Prentice-Hall 2010 80

81. 2-17: Corporate Technical Security Architecture Technical Security Architectures Definition All of the company’s technical countermeasures And how these countermeasures are organized Into a complete system of protection Architectural decisions Based on the big picture Must be well planned to provide strong security with few weaknesses Copyright Pearson Prentice-Hall 2010 81

82. 2-2: The Need for Comprehensive Security Copyright Pearson Prentice-Hall 2010 82 Aka Defenders Dilemma

83. 2-3: Weakest Link Failure Copyright Pearson Prentice-Hall 2010 83 A failure in any component will lead to failure for the entire system. Keep in mind this is a single counter-measure (Firewall)

84. 2-17: Corporate Technical Security Architecture Principles Defense in depth Resource is guarded by several countermeasures in series Attacker must breach them all, in series, to succeed If one countermeasure fails, the resource remains safe Copyright Pearson Prentice-Hall 2010 84

85. 2-17: Corporate Technical Security Architecture Principles Defense in depth versus weakest links Defense in depth: multiple independent countermeasures that must be defeated in series Weakest link: a single countermeasure with multiple interdependent components that must all succeed for the countermeasure to succeed Copyright Pearson Prentice-Hall 2010 85

86. 2-17: Corporate Technical Security Architecture Principles Avoiding single points of vulnerability Failure at a single point can have drastic consequences DNS servers, central security management servers, etc. Copyright Pearson Prentice-Hall 2010 86

87. 2-17: Corporate Technical Security Architecture Principles Minimizing security burdens Realistic goals Cannot change a company’s protection level overnight Mature as quickly as possible Copyright Pearson Prentice-Hall 2010 87

88. 2-17: Corporate Technical Security Architecture Elements of a Technical Security Architecture Border management Internal site management Management of remote connections Interorganizational systems with other firms Centralized security management Increases the speed of actions Reduces the cost of actions Copyright Pearson Prentice-Hall 2010 88

89. 2-18: Policies Policies Statements of what is to be done Provides clarity and direction Does not specify in detail how the policy is to be implemented in specific circumstances This allows the best possible implementation at any time Vary widely in length Copyright Pearson Prentice-Hall 2010 89

90. 2-18: Policies Tiers of Security Policies Brief corporate security policy to drive everything Major policies E-mail Hiring and firing Personally identifiable information … Copyright Pearson Prentice-Hall 2010 90

91. 2-18: Policies Tiers of Security Policies Acceptable use policy Summarizes key points of special importance for users Typically, must be signed by users Policies for specific countermeasures Again, separates security goals from implementation Copyright Pearson Prentice-Hall 2010 91

92. Policy vs. Laws Ignorance of Policy is valid Defense Criteria for Enforceable Policy Dissemination Policy is readily available to employees Review Policy is intelligible, including different languages and disabilities Comprehension Employee understood the policy (Quizzes, etc.) Compliance Employee Agrees to comply with policy (written or “click”) Uniform Enforcement Regardless of employee status or position Copyright Pearson Prentice-Hall 2010 92

93. 2-18: Policies Writing Policies For important policies, IT security cannot act alone There should be policy-writing teams for each policy For broad policies, teams must include IT security, management in affected departments, the legal department, and so forth The team approach gives authority to policies It also prevents mistakes because of IT security’s limited viewpoint Copyright Pearson Prentice-Hall 2010 93

94. 2-19: Policies, Implementation, and Oversight Copyright Pearson Prentice-Hall 2010 94

95. 2-20: Implementation Guidance Types of Implementation Guidance Procedures: detailed specifications for how something should be done Can be either standards or guidelines Segregation of duties: two people are required to complete sensitive tasks In movie theaters, one sells tickets and the other takes tickets No individual can do damage, although Copyright Pearson Prentice-Hall 2010 95

96. 2-20: Implementation Guidance Types of Implementation Guidance Request/authorization control Limit the number of people who may make requests on sensitive matters Allow even fewer to be able to authorize requests Authorizer must never be the requester Mandatory vacations to uncover schemes that require constant maintenance Job rotation to uncover schemes that require constant maintenance Copyright Pearson Prentice-Hall 2010 96

97. 2-20: Implementation Guidance Types of Implementation Guidance Procedures: detailed descriptions of what should be done Processes: less detailed specifications of what actions should be taken Necessary in managerial and professional business function Baselines: checklists of what should be done but not the process or procedures for doing them Copyright Pearson Prentice-Hall 2010 97

98. 2-20: Implementation Guidance Types of Implementation Guidance Best practices: most appropriate actions in other companies Recommended practices: normative guidance Accountability Owner of resource is accountable Implementing the policy can be delegated to a trustee, but accountability cannot be delegated Codes of ethics Copyright Pearson Prentice-Hall 2010 98

99. 2-21: Ethics Ethics A person’s system of values Needed in complex situations Different people may make different decisions in the same situation Companies create codes of ethics to give guidance in ethical decisions Copyright Pearson Prentice-Hall 2010 99

100. 2-21: Ethics Code of Ethics: Typical Contents (Partial List) Importance of good ethics to have a good workplace and to avoid damaging a firm’s reputation The code of ethics applies to everybody Senior managers usually have additional requirements Improper ethics can result in sanctions, up to termination An employee must report observed ethical behavior Copyright Pearson Prentice-Hall 2010 100

101. 2-21: Ethics Code of Ethics: Typical Contents (Partial List) An employee must involve conflicts of interest Never exploit one’s position for personal gain No preferential treatment of relatives No investing in competitors No competing with the company while still employed by the firm Copyright Pearson Prentice-Hall 2010 101

102. 2-21: Ethics Code of Ethics: Typical Contents (Partial List) No bribes or kickbacks Bribes are given by outside parties to get preferential treatment Kickbacks are given by sellers when they place an order to secure this or future orders Employees must use business assets for business uses only, not personal use Copyright Pearson Prentice-Hall 2010 102

103. 2-21: Ethics Code of Ethics: Typical Contents (Partial List) An employee may never divulge Confidential information Private information Trade secrets Copyright Pearson Prentice-Hall 2010 103

104. 2-22: Exception Handling Exceptions Are Always Required But they must be managed Limiting Exceptions Only some people should be allowed to request exceptions Fewer people should be allowed to authorize exceptions The person who requests an exception must never be authorizer Copyright Pearson Prentice-Hall 2010 104

105. 2-22: Exception Handling Exception Must be Carefully Documented Specifically what was done and who did each action Special Attention Should be Given to Exceptions in Periodic Auditing Exceptions Above a Particular Danger Level Should be brought to the attention of the IT security department and the authorizer’s direct manager Copyright Pearson Prentice-Hall 2010 105

106. 2-23: Oversight Oversight Oversight is a term for a group of tools for policy enforcement Policy drives oversight, just as it drives implementation Promulgation Communicate vision Training Stinging employees? Copyright Pearson Prentice-Hall 2010 106

107. 2-23: Oversight Electronic Monitoring Electronically-collected information on behavior Widely done in firms and used to terminate employees Warn subjects and explain the reasons for monitoring Copyright Pearson Prentice-Hall 2010 107

108. 2-23: Oversight Security Metrics Indicators of compliance that are measured periodically Percentage of passwords on a server that are crackable, etc. Periodic measurement indicates progress in implementing a policy Copyright Pearson Prentice-Hall 2010 108

109. 2-23: Oversight Auditing Samples information to develop an opinion about the adequacy of controls Database information in log files and prose documentation Extensive recording is required in most performance regimes Avoidance of compliance is a particularly important finding Copyright Pearson Prentice-Hall 2010 109

110. 2-23: Oversight Auditing Internal and external auditing may be done Periodic auditing gives trends Unscheduled audits trip up people who plan their actions around periodic audits Copyright Pearson Prentice-Hall 2010 110

111. 2-23: Oversight Anonymous Protected Hotline Often, employees are the first to detect a serious problem A hotline allows them to call it in Must be anonymous and guarantee protection against reprisals Offer incentives for heavily damaging activities such as fraud? Copyright Pearson Prentice-Hall 2010 111

112. 2-23: Oversight Behavioral Awareness Misbehavior often occurs before serious security breaches The fraud triangle indicates motive. (see Figure 2- 24) Copyright Pearson Prentice-Hall 2010 112

113. 2-23: Oversight Vulnerability Tests Attack your own systems to find vulnerabilities Free and commercial software Never test without a contract specifying the exact tests, signed by your superior The contract should hold you blameless in case of damage Copyright Pearson Prentice-Hall 2010 113

114. 2-23: Oversight Vulnerability Tests External vulnerability testing firms have expertise and experience They should have insurance against accidental harm and employee misbehavior They should not hire hackers or former hackers Should end with a list of recommended fixes Follow-up should be done on whether these fixed occurred Copyright Pearson Prentice-Hall 2010 114

115. 2-25: Governance Frameworks Copyright Pearson Prentice-Hall 2010 115

116. 2-26: COSO Origins Committee of Sponsoring Organizations of the Treadway Commission (www.coso.org) Ad hoc group to provide guidance on financial controls Focus Corporate operations, financial controls, and compliance Effectively required for Sarbanes–Oxley compliance Goal is reasonable assurance that goals will be met Copyright Pearson Prentice-Hall 2010 116

117. 2-26: COSO Components Control Environment General security culture Includes “tone at the top” If strong, weak specific controls may be effective If weak, strong controls may fail Major insight of COSO Copyright Pearson Prentice-Hall 2010 117

118. 2-26: COSO Components Risk assessment Ongoing preoccupation Control activities General policy plus specific procedures Copyright Pearson Prentice-Hall 2010 118

119. 2-26: COSO Components Monitoring Both human vigilance and technology Information and communication Must ensure that the company has the right information for controls Must ensure communication across all levels in the corporation Copyright Pearson Prentice-Hall 2010 119

120. 2-27: CobiT CobiT Control Objectives for Information and Related Technologies CIO-level guidance on IT governance Offers many documents that help organizations understand how to implement the framework Copyright Pearson Prentice-Hall 2010 120

121. 2-27: CobiT The CobiT Framework Four major domains (Figure 2-26) Copyright Pearson Prentice-Hall 2010 121

122. 2-27: CobiT The CobiT Framework Four major domains (Figure 2-26) 34 high-level control objectives Planning and organization (11) Acquisition and implementation (60) Delivery and support (13) Monitoring (4) More than 300 detailed control objectives Copyright Pearson Prentice-Hall 2010 122

123. 2-27: CobiT Dominance in the United States Created by the IT governance institute Which is part of the Information Systems Audit and Control Association (ISACA) ISACA is the main professional accrediting body of IT auditing Certified information systems auditor (CISA) certification Copyright Pearson Prentice-Hall 2010 123

124. 2-29: The ISO/IEC 27000 Family of Security Standards ISO/IEC 27000 Family of IT security standards with several individual standards From the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) ISO/IEC 27002 Originally called ISO/IEC 17799 Recommendations in 11 broad areas of security management Copyright Pearson Prentice-Hall 2010 124

125. 2-29: The ISO/IEC 27000 Family of Security Standards ISO/IEC 27002: Eleven Broad Areas Copyright Pearson Prentice-Hall 2010 125 Security policyAccess control Organization of information securityInformation systems acquisition, development and maintenance Asset managementInformation security incident management Human resources securityBusiness continuity management Physical and environmental securityCompliance Communications and operations management

126. 2-29: The ISO/IEC 27000 Family of Security Standards ISO/IEC 27001 Created in 2005, long after ISO/IEC 27002 Specifies certification by a third party COSO and CobiT permit only self-certification Business partners prefer third-party certification Other 27000 Standards Many more 27000 standards documents are under preparation Copyright Pearson Prentice-Hall 2010 126

127. The End 127

128. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America. Copyright © 2010 Pearson Education, Inc. Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall