Copyright Security-Assessment.com 2004 Security Governance and Regulatory Controls by Peter Benson.

Slides:

Advertisements

Similar presentations

IT Security Policy Framework

Advertisements

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

Chapter 10 Accounting Information Systems and Internal Controls

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

“Limiting electronic fraud through an Information Security Management System (ISMS): An Introduction to ISO 27001" Presented to the ICGFM Annual Conference.

1 Information Security Standards Gary Gaskell © 2001.

Security Controls – What Works

Tomas Pivoras - EMS experience1 Environmental management systems – experience from Lithuania Tomas Pivoras Kaunas University of Technology.

Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

First Practice - Information Security Management System Implementation and ISO Certification.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

What SMS means for an Operator’s relationship with the CAA

Licensing & Regulation Division Senior Sergeant Brett Kahan Presentation to the Association of Investigators & Security Professionals.

Session 3 – Information Security Policies

Fraud Prevention and Risk Management

Control environment and control activities. Day II Session III and IV.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Gurpreet Dhillon Virginia Commonwealth University

Information Security Framework & Standards

Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:

Overview of Systems Audit

Social Media Jeevan Kaur, Michael Mai, Jing Jiang.

Evolving IT Framework Standards (Compliance and IT)

Continual Service Improvement Process

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Laboratory Biorisk Management Standard CWA 15793:2008

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

Roles and Responsibilities

Compliance Management Platform ™. Compliance Management Platform Compliance is the New Marketing – Position yourself to thrive in the new regulatory and.

Günter Griesmayr 29. April 2010

CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.

© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.

Presented by : Miss Vrindah Chaundee

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

Legal Aspects of Ethical Conduct 1. As an IT professional your work is governed by a range of legislation and industry standards including:  Australian.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.

Adaptive Processes Consulting Pvt. Ltd. An ISO 9001:2000 Certified Company This document is the property of and proprietary to.

IT GOVERNANCE  Objective : The objective of this area is to ensure that the Certified Information Systems Auditor ( CISA ) candidate understands and can.

MA. EXPORT CENTER COMPLIANCE EXPORT EXPO Presented by : Paul Divecchio –DiVecchio & Associates Phone: (617) , Fax: (508)

Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.

Chapter 9: Introduction to Internal Control Systems

Samantha Schreiner University of Illinois at Urbana- Champaign BA 559 – Professor Michael Shaw December 15 th, 2008 A Survey of IT Governance Through COBIT,

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles ® Registered Trademark of ARMA International.

ISO CONCEPTS Is a management standard, it is not performance or product standard. The underlying purpose of ISO 1400 is that companies will improve.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

2/20/2016 Leveraging IT Governance and COBIT Chip Council, PhD, CGEIT, CISM, CISA Matt Schmidt, MS, CISSP, CISA Adjunct Professors, University of Minnesota.

Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Section 404 Audits of Internal Control and Control Risk Chapter 10.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

Compliance Primer Shekar Ayyar SVP BindView Corporation.

Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.

Primary Steps for Achieving ISO Certification.

An Information Security Management System

Dr. Yeffry Handoko Putra, M.T

Governance & Control in ERP Systems

Information Security based on International Standard ISO 27001

Presentation transcript:

Copyright Security-Assessment.com 2004 Security Governance and Regulatory Controls by Peter Benson

Copyright Security-Assessment.com 2004 Agenda ISO/IEC AS/NZS SIGS Sarbanes Oxley CIS COBiT Others

Copyright Security-Assessment.com 2004 General Issues Controls considered to be essential to an organization from a legislative point of view include: – data protection and privacy of personal information – safeguarding of organizational records – intellectual property rights Audit and Compliance key issues

Copyright Security-Assessment.com 2004 Trends Continuous Auditing Continuous Assurance Changing Regulatory Environment Security as a Business Requirement Benchmarking Security Metrics Information Leakage / Information Asset Management Hacking for Pirating / Spam Phishing

Copyright Security-Assessment.com 2004 Security Success Factors Security policy, objectives and activities that reflect business objectives; Consistent Security Implementation Approach; Management Buy-in – Visibility and Support; Security Requirements, Risk Assessment and Risk Management understood; Security Marketing; Policy and Standards Distribution; Training and education; Measurement and Improvement Systems.

Copyright Security-Assessment.com 2004 ISO Business Requirements Reasonable level of Uptake Compliance rather than Certification Guideline rather than Prescription Gap Analysis and Roadmaps

Copyright Security-Assessment.com 2004 ISO coverage Security Policy Organisational Security Asset Classification and Control Personnel Security Physical and Environmental Security Communications and Operations Management Access Control Systems Development and Maintenance Business Continuity and Management Compliance

Copyright Security-Assessment.com 2004 SIGS Designed for government departments and agencies, State Owned Enterprises and Crown Entities, however may be applicable to companies working with Government May be Mandatory Based on the Joint Australian New Zealand Standard AS/NZ ISO/IEC 17799:2001 Risk Analysis and Management aligned to AS/NZS 4360: Risk Management Some content drawn from Australia’s “Commonwealth Protective Security Manual”, and the United Kingdom's “Manual of Protective Security”.

Copyright Security-Assessment.com 2004 Sarbanes – Oxley Section 404 Y2K on Steroids Typically under-reaction to over-reaction Required for any company wanting to work in the US Based around Financial Accounting and Audit, but… High focus on Best Practice for IT – COBiT adopted – ISO Compliance / Auditability against reasonable / best practice high on agenda 3 rd Party Auditing issues

Copyright Security-Assessment.com 2004 COBiT Control Objectives and Audit Guidelines NOT a set of audit controls or specifics Not information Security Specific; generally accepted reasonable practice

Copyright Security-Assessment.com 2004 SSE-CMM

Copyright Security-Assessment.com 2004 SSE-CMM Measurement

Copyright Security-Assessment.com 2004 CIS Benchmarks Generally Considered “Reasonable Practice” Strong use in Compliance Testing

Copyright Security-Assessment.com 2004 Emerging Issues Australian Commerce Act Fair Trading Act (AUS) Civil (Tort) Law (Duty of Care, Negligence) Contingent Liability (Hacked Systems) New Zealand Crimes Act Accountability but not necessarily Responsibility (outsourcing) Process Auditability (Do what you say you do) Compliance Management and Security Metrics

Copyright Security-Assessment.com 2004 Common Themes in NZ Organisations Federated business models Lack of centralised decision making or effective delegation Insufficient buy-in (Metrics and Marketing!) Security and Risk disconnect Lack of effective compliance testing Lack of compliance performance analysis Delegation of Responsibility – but abrogating Accountability

Copyright Security-Assessment.com 2004 Directions to Consider Documented processes and process auditibility Compliance Management Vulnerability Management / Continuous Auditing Security SLA’s Manage Security Performance against Benchmarks / Baselines MEASURE SECURITY (and Market it!)

Copyright Security-Assessment.com 2004 Questions?