Strawman operating environment proposal Presented to P2600 Meeting #16, Las Vegas NV January 16-17, 2006 Brian Smithson.

Slides:

Advertisements

Similar presentations

Auditing Research with the SEC in Mind Andrew D. Bailey, Jr. Past Academic Accounting Fellow (2000/01) Past Deputy Chief Accounting ( ) U.S. Securities.

Advertisements

DRIVING DOD POLICY FOR COMMON CRITERIA TESTING OF IT PRODUCTS Wanda Nuckolls, Product Security Project Manager Canon U.S.A., Inc. Government Marketing.

Internal Controls What Are They And Why Should I Care? 1.

And the finer details of patient privacy TCH Confidential Understanding HIPAA.

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Control and Accounting Information Systems

INTRODUCTION o DISCUSS ADOPTION OF FRAUD AND THEFT POLICY o ASSIGNS RESPONSIBILITY FOR REPORTING FRAUD AND THEFT o PROVIDES GUIDELINES FOR INVESTIGATIONS.

Internal Control.

Effective Design of Trusted Information Systems Luděk Novák,

2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Principles of Information Security Kris Rosenberg, Chief Technology Officer Oregon State University College of Business Kris Rosenberg, Chief Technology.

Copyright JNT Association 2009NorduNET, 18 th September Protecting Privacy in Global Networks Andrew Cormack Chief Regulatory Adviser, JANET(UK)

Security Management Practices Keith A. Watson, CISSP CERIAS.

Internal Control and Internal Audit

The University of California Strengthening Business Practices: The Language of Our Control Environment Dan Sampson Assistant Vice President Financial Services.

Chapter 7 Database Auditing Models

Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.

Canadian Copyright Act Became law in January 1924 and was amended in 1988 (Phase I) The second phase amendments were completed in 1997 when Bill C-32.

SEC835 Database and Web application security Information Security Architecture.

1 DG Enterprise & Industry European Commission Administrative Burden Reduction and Impact Assessment Presentation by Cavan O’Connor Close European Commission.

Internal Auditing & Management Control ACCT 620 Otto Chang Professor of Accounting.

C. P. Mansoor S. Ahmed M. Com, PGDBA.  Not confined to Independent Audit  Systematic Examination of  Records  Procedures  Systems  Operations.

From risk to planning Making the bridge from risks to audit plans Richard Maggs Astana September 2014.

Chapter Three IT Risks and Controls.

1 Common Criteria Ravi Sandhu Edited by Duminda Wijesekera.

Richard F. Chambers, CIA, CGAP Vice President, IIA Learning Center The Institute of Internal Auditors.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

The Connection between Risk Management and Internal Control in Organizations Mag. Norbert Wagner Budapest,

1 Internal Audit. 2 Definition Is an independent activity established by management to examine and evaluate the organization’s risk management processes.

Chapter 1 The Basics of Accounting. What is Accounting? Accounting Plan, record, analyze, interpret Accounting System Process of providing the information.

Conducting Clinical Risk Assessments And Implementing Compliance Practices Jane L. Stratton Chiron Corporation VP/Associate General Counsel Chief Compliance.

Common Criteria V3 Overview Presented to P2600 October Brian Smithson.

CMSC : Common Criteria for Computer/IT Systems

Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.

FACILITATOR Prof. Dr. Mohammad Majid Mahmood Art of Leadership & Motivation HRM – 760 Lecture - 25.

College Reviews An Overview Presented by Howard Lutwak, CIA Director of Internal Audit January 2004.

Compliance Audit Subcommittee Reporting Work Plan Copenhagen, Denmark 6th of May 2010.

Chapter 9: Introduction to Internal Control Systems

Introduction to Information Security

EQUIPMENT 1.At the UW, items with a purchase value of $2,000 or more (including tax and other ancillary charges) are defined as Equipment (not Supplies).

Checks and balances Popular Sovereignty Separation of powers FederalismLimited Government 1000.

12/18/20151 Computer Security Introduction. 12/18/20152 Basic Components 1.Confidentiality: Concealment of information (prevent unauthorized disclosure.

INTERNAL CONTROLS What are they? Why should I care?

Level of Assurance. LOA LOA classic - The strength of the authentication assertion Depends on identity proofing, delivery of credential, repeated act.

ISO CONCEPTS Is a management standard, it is not performance or product standard. The underlying purpose of ISO 1400 is that companies will improve.

Operating Systems Concepts 1/e Ruth Watson Chapter 9 Chapter 9 Accounts and Groups Ruth Watson.

Accounting and Information Systems: a powerful combination.

INTERNAL AUDIT - ACCOUNTS PAYABLE AUDIT University of Washington August 11, 2011 Kim Herrenkohl, Director Western Washington University Office of the Internal.

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.

Internal Controls For Municipalities Vermont State Auditor’s Office – August 2008.

Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.

Mexico’s Experience Monitoring Millennium Development Goals New York, 17 th December, 2013 Enrique Ordaz INEGI 1 Open Working Group.

State Regulation in the Natural Monopoly Sphere Agency of the Republic of Kazakhstan on Regulation of Natural Monopolies ALMATY – 2006.

Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.

COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.

BSA 310 Week 2 DQ 2 An organization’s technology usage opens up the issue of securing its information. In analyzing your workplace or that of an organization.

TCSEC: The Orange Book.

Information Security, Theory and Practice.

Identity and Access Management

And the finer details of patient privacy

Chapter 9 Control, security and audit

Audits and Fiscal Reporting

Independent Office Products and Furniture Dealers Association (IOPFDA)

Exception Based Reporting

Access Control What’s New?

Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham

Presentation transcript:

Strawman operating environment proposal Presented to P2600 Meeting #16, Las Vegas NV January 16-17, 2006 Brian Smithson

Problem: NIAP doesn’t like our definitions  “I am confused with the "high security" name being used. All environments have a need for high assurance (security) functionality.”  “If you are equating "High Security" with government why not call it Government Environment. High security at EAL2 is confusing. Like I indicated, all environments, including government, need high, medium and basic robustness protections.”  “I am not sure why you need a High Asset Value Environment, every environment ("Enterprise", "Public" and "Small Office - Home Office") have high value assets. Even in my home office I have high value assets (at least I consider them high value). An example may be my financial data, when I get on the Internet to pay my bills I do not want a hacker to get access to my checking account data. All the example you provided can be considered "Enterprise" environments. The only deference may be the threat to their high value assets and how much protection they need for those assets.”  [my emphasis]

Our environmental dimensions  Based on security level Concept is too subjective. Does anyone want “low security”?  Based on asset value Concept is too relative. Everyone highly values their assets. High - High security - Enterprise - Public - SOHO Low High - High security - Enterprise - Public - SOHO Low

Proposed new dimension: Accountability  Auditable environments: For handling information which is regulated by laws or conventions for handling information. Concerned with who did what and when, even if it is an authorized operation. Requires more audit data, and more separation of administration roles.  Enterprise environments: Still requires individual identification and authentication, but not so much auditability. Exceptions and unsuccessful operations would be logged, for security purposes.  Public environments: No identification, only temporary authorization Usage logging for accounting/payment only  SOHO environments: Don’t require authentication or logging. Still requires some security protections. High Accountability - Auditable environment - Enterprise environment - Public environment - SOHO environment Low Accountability Individual I&A, complete logging, separate auditor role Individual I&A, exception logging No identification, temp authorization, only usage logging No authorization, no logging, basic security protection

Impact?  I think these will still be concentric sets of objectives.  There would be some changes, but not many.  We’re reviewing and potentially changing some threats, assumptions, policies, and objectives anyway.  From a marketing point of view, there maybe some advantage in selling Common Criteria evaluated products for environments that are more closely identified with markets.  I still think we should consider the usefulness of a SOHO PP and perhaps do an EAL1 / Low Assurance Level PP.  Also consider if the Auditable Environment should be a “medium robustness” environment.