Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Security Requirements

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "IT Security Requirements"— Presentation transcript:

1 IT Security Requirements
Protection requirements Safeguards Controls Preventive (before) Detective (during) Corrective (after)

2 IT Security ”Catalogue” for Controls Suitable (reasonable) set of Security Requirements
Standard ISO/IEC (BS ) International Standard ”De Facto” standard ISF (Information Security Forum) Standard of Good Practice (Information Security) Guidelines ISO/IEC TR 13335, 1-5 International Technical Reports Certification (a possibility) BS 7799 – 2 Specifies a necessary minimum of Security Requirements

3 Level of requirement (Terminology)
Should (Shall) Must Ought In reading or in writing?

4 IT Security requirements
Law (invariable) National and International Regulation Rules Standard Policy Guidance - Guidelines Procedure Instruction (Manual operation)

5 Who specifies the IT Security Requirements
Who specifies the IT Security Requirements ? (Invariable demand or not …) External (Requirement from outside) Law (Legal aspect, Legislation) - ”Breaking the rule is punishable” Departmental order Requirements from business partners Certification Customer agreements Internal More or less related to Standards ISO/IEC 17799, ISF, DS-484 (Danish Norm) - Instans Management Team / business needs Risk Assessment IT Security Policy IT Security Guidelines (hierarchy) Informal Ethics Code of ethics Valuable property

6 IT Security Policy Use for
Signal to business partners and employees Responsible (Create, update, create awareness) IT Security Manager Approved Board of directors Relation to Businesss Strategy Characteristics High abstract language, non technical and max 2 pages Content We shall …. Example follows ISF Standard of Good Practice Apply to IT Security Guidelines Type of document Official (should be) but can be kept secret from the public

7 IT Security Guidelines
Use for Directions of employees Responsible (Create, update, create awareness) IT Security Manager in co-operation with the people who need the guideline Approved Executive management Relation to IT Security Policy Characteristics More concrete language in use for users or technical part Content We shall for network dial-up solutions …. Allways use strong authentication with one-time-password generator Apply to IT Instruction or procedure Type of document Keep secret for public

8 Network Security Policy (Guideline)
Use for Keep the focus on security in the network Responsible (Create, update, create awareness) IT Security Manager in co-operation with the network team Approved Executive management / IT management Relation to IT Security Policy Characteristics More concrete language use for technical part Content We shall protect our Intranet as if it is the Internet We shall allways use Switch-to-the-desktop on the LANs Apply to Network instruction or procedure Type of document Keep secret for public

9 Creating IT Security Guideline
Choose one guideline from ISF Example CN23 Just follow ”The One and only” Choose three guidelines from ISF Example CN23+CB53+SM54 ”Shake up” the three guidelines an create your own Make do the new guideline more concrete Do something different ?

10 In the ”real” world Documentation use for Priority State
Quality arrangement Homogeneity in the way of doing things Priority Written guidelines (Easy to see what the staff do) Verbal guidelines to follow (Praxis should be in accordance with what the staff tell you) Nothing (A problem) State Guidelines Reality (the guidelines ”wont” be used ?) Be granted an exemption from the IT Security department Important to find a balance between what you create of paperworks, documentation and what will be used in the future

11 IT Security level Relative (?) A Company can choose to Live up to
Choose a satisfactory level of IT Security (trust?) A Company can choose to Live up to Guidance ISO/IEC ISF DS 484-1 Certification BS DS 484-2 Result ISF - ”the solution” < Some point to be addressed (goal for the auditor) ISF - ”the solution” = Satisfactory ISF - ”the solution” > Better than ISF (maybe the company decision)

12 Evolution (obsoleted and new)
Who should take care? Standards BS7799 will soon come in a new version IT Security Policy How to handle the relation to IT Security Guidelines?

13 IT Security Organisation
Corporate level IT Security Officier Normally responsible for one or more IT Security Managers Company IT Security Manager Normally refer to board of directors in the Compagny Responsible for IT Security Department IT Security Consultant Staff in the IT Security Department IT Security Co-ordinator Replacement for IT Security Manager Department Line managers in general are responsible for security within their areas IT Security Responsible Example a staff in the Network Department responsible for the firewall system Employees To be trained for IT Security Awareness

14 Auditing and the Auditors
Who controls the controls and why? IT and financial auditors (Internal and External) There is a need for current audit because the solutions will always ”sand up” Who are using the auditors and why? Board of directors Prosecution if something is going wrong The Company Accountants Shareholders (Stockholders) When convincing the Business Partners and Customers Prove that the IT Security level is satisfactory Declaration (Yearly Statement) Business partners The public

Download ppt "IT Security Requirements"

Similar presentations

Organizational Governance

Organizational Governance
Learning Outcome 2 Working practices.

Learning Outcome 2 Working practices.
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Vision: A strong and capable civil society, cooperating and responsive to Cambodias development challenges 1.

Vision: A strong and capable civil society, cooperating and responsive to Cambodias development challenges 1.
Child Safeguarding Standards

Child Safeguarding Standards
Purpose & Values Purpose:

Purpose & Values Purpose:
Development of internal control: methodology and responsibility

Development of internal control: methodology and responsibility
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
PUBLIC SECTOR INTERNAL AUDIT IN THE REPUBLIC OF LITHUANIA Mr. Jonas Vaitkevičius Head of Internal Audit and Financial Control Methodology and Monitoring.

PUBLIC SECTOR INTERNAL AUDIT IN THE REPUBLIC OF LITHUANIA Mr. Jonas Vaitkevičius Head of Internal Audit and Financial Control Methodology and Monitoring.
PwC David Devlin 23 April 2002 Auditor Independence in a Global Market Place.

PwC David Devlin 23 April 2002 Auditor Independence in a Global Market Place.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Information Systems Security Officer

Information Systems Security Officer
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 8: Developing an Effective Ethics Program.

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 8: Developing an Effective Ethics Program.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Implementing and Auditing Ethics Programs

Implementing and Auditing Ethics Programs
Quality Management.

Quality Management.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
What are the challenges of implementing ISSAIs in NAO of Estonia? Krista Zibo Audit manager of Financial Audit Department Meeting of Experts of SAIs of.

What are the challenges of implementing ISSAIs in NAO of Estonia? Krista Zibo Audit manager of Financial Audit Department Meeting of Experts of SAIs of.

Similar presentations

Ads by Google