Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.

Published byUrsula Dorsey Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141."— Presentation transcript:

1 Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141

2 Security Documents Policies Procedures Standards Guidelines Baselines

3 Security Policy General statement produces by senior management Needs to be technology and solution independent. Written in broad terms. Outlines goals not specific ways of accomplishing them.

4 Organizational Security Policy Addresses laws, regulations and liability issues Describes scope and risk management is willing to accept Business objectives should drive policy Easily understood by employees Process for dealing with those who do not comply

5 Issue-Specific Policies Email usage Employees should confirm they have read and understand the policy

6 Issue-Specific Policies Acceptable use policy Data protection policy Business continuity policy See pages 103-4

7 System-Specific Policies Specific to actual computers, networks, applications How a database containing sensitive information should be protected and who can have access.

8 Standards Mandatory actions or rules Specific products to be used “Employees are require to wear identifications badges at all times” “Confidential information must be protected with AES-256 at rest and in transit”

9 Baselines When risks have been mitigated and security put into place, a baseline is agreed upon. Reference point to compare against when new software is installed or when changes are made Are we still providing the baseline protection?

10 Guidelines Suggested and best practices

11 Procedures Detailed step-by-step tasks that should be followed How policies, standards, and guidelines will be implemented in an operating environment Set up a new user account

12 Implementation Policies, standards, procedures, baselines are often written for auditors Awareness training Companies that do not do awareness training can be held liable in the eyes of the law. It must be clear that management staff support these policies

13 Information Classification Table 2-11 on pages 110-111

14 Information Classification Assign value to different kinds of information After identifying all important information, it should be properly classified. Determine how to allocate funds to protect information in a cost-effective manner Each classification should have separate handling requirements and procedures to how that data is accessed, used and destroyed.

15 Data Classification Procedures Page 114

16 Board of Directors Goal – Shareholders’ interests are protected and the corporation is run properly 2002 scandals – Enron U.S. Government & SEC – Sarbanes-Oxley Act (SOX) – Board of Directors can be held personally responsible (fined or jailed) for fraud

17 Executive Management CEO – Day-to-day management CFO – Corporate financial activities 2002 Financial Scandal – SEC makes them personally responsible. – Can be fined or go to jail.

18 Executive Management CIO – Strategic use and management of information systems Chief Privacy Officer – Customer, company, and employee data is kept safe – Usually an Attorney who understands privacy, legal and regulatory requirements.

19 Privacy Amount of control an individual should have over their sensitive information. Personal identifiable information (PII) – Identity theft and financial fraud

20 Executive Management Chief Security Officer (CSO) – Understand the risks the company faces and mitigating these risks to an acceptable level – Understanding business drivers and for creating and maintaining a program that facilitates these drivers. – Security compliance with regulations

21 Data Owner Usually in charge of a business unit Responsible for protection and use of a specific subset of information Classifies this data Ensure security controls and in place, backup requirements, proper access rights

22 Data Custodian Responsible for maintain and protecting the data

23 User Must have the necessary level of access to the data to perform the duties Is responsible for following security procedure

24 Personnel Security In security, people are often the weakest link. Accidentally through mistakes or lack of training Intentionally through fraud and malicious intent

25 Preventative Measures Separation of duties – No one individual can complete a critical task by herself – Example: Supervisor’s written approval – Collusion to commit destruction or fraud

26 Preventative Measures Rotation of duties – No person should stay in one position for a long time Mandatory vacations – While on vacation, fill-ins can usually detect fraud Key Terms – page 127

27 Hiring Practices Nondisclosure agreements signed by new employees References checked Education verified Detailed background check

28 Termination Employee escorted out of facility Surrender identification badges and keys Exit interview User’s accounts disabled immediately Too many companies have been hurt by vengeful or disgruntled employees

29 Security-Awareness Training Communicate security to employees Supported by senior management Management must allocate resources for training Training must be simple to understand Acceptable behaviors Noncompliance repercussions During hiring and annually thereafter

30 Security Governance Table 2-13 Company A on page 133

31 Metrics “You can’t manage something that you can’t measure.” Quantifiable performance based data Continuously gathered and compared so that improvement or drops in performance can be identified ISO/IEC 27004 tells to measure a security program

32 Quick Tips Pages 138 to 141

Download ppt "Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141."

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
An Internal Control Overview

An Internal Control Overview
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
Transportation/Fleet Safety and Environmental Safety Travel - Hazardous Materials Transportation Security- Sandra J. Perry Consulting Services & Treatment.

Transportation/Fleet Safety and Environmental Safety Travel - Hazardous Materials Transportation Security- Sandra J. Perry Consulting Services & Treatment.
Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, 2002. Established.

Sarbanes-Oxley Act. 2 What Is It? Act passed by Congress in response to the recent and continuing corporate scandals. Signed into law July 30, Established.
© Chery F. Kendrick & Kendrick Technical Services.

© Chery F. Kendrick & Kendrick Technical Services.
Fraud and Internal Control

Fraud and Internal Control
Sarbanes-Oxley, Internal Control & Cash

Sarbanes-Oxley, Internal Control & Cash
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Information Systems Security Information Security & Risk Management.

Information Systems Security Information Security & Risk Management.
TEL382 Greene Chapter 3.

TEL382 Greene Chapter 3.
IS Audit Function Knowledge

IS Audit Function Knowledge
Security Management Practices Keith A. Watson, CISSP CERIAS.

Security Management Practices Keith A. Watson, CISSP CERIAS.
Information Systems Security Officer

Information Systems Security Officer
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Chapter 11.  The board is ultimately responsible for risk management  Oversee strategic risks, operational risks, and financial risks  Many federal.

Chapter 11.  The board is ultimately responsible for risk management  Oversee strategic risks, operational risks, and financial risks  Many federal.

Similar presentations

Ads by Google