Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

Published byScott Moody Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69."— Presentation transcript:

1 Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69

2 Security in the Company “Organizations have many other things to do than practice security. Businesses exist to make money.”

3 Fundamental Principles Core goals of security (CIA) Confidentiality Integrity Availability Key Terms – page 25

4 Security Definitions Vulnerability Threat Risk Exposure Control Key Terms – page 28

5 Control Types Administrative Technical Physical Defense in Depth

6 Functionalities of Controls Deterrent Preventive Corrective Recovery Detective Compensating See page 30

7 Security through obscurity Dangerous Attackers are smart, motivated, and dedicated.

8 Security Frameworks A security program BS7799 – 1995 – How an ISMS (Information Security Management System) can be set up and maintained. – Topics pages 36-37

9 ISO/IEC 27000 ISO/IEC 27xxx modularized components. Figure 2-3 on page 39 (Plan-Do-Check-Act) How to develop and maintain a ISMS

10 Standards, Best Practices, Frameworks Page 40 How can we make sense out of this?

11 Enterprise Architecture Development “understand the environment, understand the security requirements of the business and the environment and layout a strategy”

12 TOGAF The Open Group Architecture Framework Page 47 Figure Note

13 Zachman Architecture Framework Business enterprise architecture – not security oriented Used to define the business environment. Table 2-2 on page 45

14 Enterprise Security Architecture Subset of enterprise architecture “The main reason to develop an enterprise security architecture is to ensure that security efforts align with business practices in a standardized and cost-effective manner.” If no ESA, the answers on page 49 are “yes”

15 SABSA Sherwood Applied Business Security Architecture Table 2-3 on page 50 “Each layer of the model decreases in abstraction and increases in detail so it build upon others and moves from policy to practical implementation of technology and solutions.”

16 SABSA Strategic alignment – Business drivers and regulatory and legal requirements are being met Business enablement – security cannot stand in the way of the business process, but should enable it.

17 SABSA Process enhancement – while securing the environment look at the improving the business process Security investment – metrics to determine the usefulness of security solutions.

18 ISMS vs Enterprise Security Architecture ISMS (ISO/IEC 27000) specifies the pieces and parts that need to put in place for a security program. ESA (SABSA) specifies how the components of a ISMS have to be interwoven throughout the business environment.

19 Enterprise vs System Architecture EA – Security supports the organization SA – Systems need to support security policies.

20 Security Control Development CobiT NIST 800-53 COSO

21 Controls Management Technical Operational See Table 2-4 on page 58

22 CobiT ISACA The majority of security compliance auditing practices used today in the industry are based off of CobiT Checklist for IT governance

23 NIST 800-53 U.S. Government checklist to insure agencies are compliant with Federal Information Security Management Act of 2002.

24 COSO Model for corporate governance Developed in 1985 to deal with fraudulent financial activities and reporting SOX – Sarbanes-Oxley is based on COSO Companies implement ISO/IEC 27000 and CobiT for COSO

25 Process Management Development How to manage the development of security controls

26 ITIL Information Technology Infrastructure Library De facto standard for IT service management Divide between business and IT people ITIL security component focuses on security level agreement between IT department and internal customers. Figure 2-6 on page 61

27 Six Sigma Improve process quality using statistics Removing defect in manufacturing

28 CMMI Capability Maturity Model Integration Figure 2-7 on page 62

29 CMMI 1.Plan and organize 2.Implement 3.Operate and maintain 4.Monitor and evaluate

30 Top-down Approach The initiation and direction of security programs should come from top management

31 Functionality vs Security Balancing act between security and allowing the necessary level of functionality so that productivity is not affected. Consult user and understand the business

Download ppt "Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69."

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
IT Governance Infocom India Presentation December 6, 2006.

IT Governance Infocom India Presentation December 6, 2006.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Www.isaca-malta.org Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.

Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.
Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.

Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
ISS IT Assessment Framework

ISS IT Assessment Framework
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
COBIT Framework Introduction. Problems with IT? – Increasing pressure to leverage technology in business strategies – Growing complexity of IT environments.

COBIT Framework Introduction. Problems with IT? – Increasing pressure to leverage technology in business strategies – Growing complexity of IT environments.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Introduction to Security Architecture

Introduction to Security Architecture
COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by.

COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by.
Project Management Methodology More about Quality Control.

Project Management Methodology More about Quality Control.
Consultancy.

Consultancy.
COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.

COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.

Similar presentations

Ads by Google