Information Assurance/Information Security
Information Assurance/Information SecurityJohn W. Lainhart IVpresentation for theComputer System Security and Privacy Advisory MeetingJune 13, 2002A business of PwCpc
Agenda Information Assurance COBIT & the Management Guidelines IT Governance SysTrustSM Assurance Service Managing Security of Information Board Briefing on IT Governance Information Security Governance Center for Internet Security Benchmarks2pc
Information Assurance3pc
Information AssuranceConducting those operations that protectand defend information and informationsystems by ensuring confidentiality,integrity, availability and accountability.This includes providing for restoration ofinformation systems by incorporatingprotection, detection and reactioncapabilities.NIAP Definition4pc
Strategic Vision: Holistic UnderstandingSecurity is a Function of BusinessSuccessful Implementation of AnySensitive Security Program RequiresAn Understanding of the Mission,Operations, Resources, and theBusiness Impact Caused by VulnerabilitiesArchitectureServicesImplement Control Protective Measuresto Mitigate Exploitable Risks andMinimize Operational Impacts Causedby Physical And IT Vulnerabilities Threats Will Continue to Exist Traditional Security Must be IntegratedAnd Active for OPSEC and BusinessContinuity to be Effective5pc
IA: A Functional SpectrumIA Program Objectives: Moving Beyond Information SecurityIntegrity, Confidentiality, Availability, uresIntrusion DetectionFirewall ManagementPassword ionThreat AnalysisVulnerability AssessmentRisk AnalysisTraining & EducationDocument ControlClassificationSmart CardsManagementC&A (NIACAP, DITSCAP)SW PatchesAnti-VirusData StorageContingency PlansPersonnel SecurityPhysical SecurityCounter Competitor IntelligencePenetration TestingNetworksSocial EngineeringOpen Source Exploitation6Reactive FunctionsDetectBusiness Environment MonitoringManaged Security ServicesProactive MeasuresReactCIRT (CERT)COOPDisaster RecoveryContinuity of GovernmentIncident Reporting ProcessInvestigationsComputer ForensicsBusiness ContinuityNetwork Scty IntellSuccessfulprograms containbothproactive and reactivefunctions to be effective.pc
Concentric Barriers: Rings of SecurityProtecting Critical Assets in the Virtual World Mirrors the PhysicalProactive MeasuresProtect(Examples)DeterEventDetectReactive FunctionsReacte.g. Warning BannerMonitoringDetecte.g. Intrusion DetectionCritical Data&EssentialInformationDelaye.g. FirewallCIRTDefendForensicsDenye.g. Honey PotsBCP/COOPe.g EncryptionDefeate.g. Arrest7Defense in DepthEscalation by Severitypc
PDD 63PDD 63 responds to the Interdependence of Infrastructures and BankingTransportationWaterGovernment ServicesEmergency ServicesWhat We Can Do: Threat Analysis Vulnerability Studies Protective Measures Impact Analysis8What the Public Sees/ReadsDetermines their ConfidenceWhat the Public Does Not SeeInvolves Detailed IntegrationOf the Infrastructure:Plans/Compliance/Actionspc
Information Assurance ProgramInformation Assurance ProgramDevelop a cross functional (technical, physical,personnel and environmental) matrix teamconsisting of empowered management and staffwho are tasked to develop and manage long-termstrategic direction for the organizationInformation Assurance Program incorporating:- Security Vision & Strategy- Senior Management Commitment- Training & Awareness Programs- Information Assurance airPMBudgetOperationsSecretariatSub AgenciesSecurityTechnicalSub Agency ISub Agency IIIHROrg.PublicRelationsSub Agency ISub Agency IVWorking GroupsTechnicalManagementOperationsPolicy- Steering Committee- Members at large9pcPersonnelIndividual Stand UpAs-Necessary
Information Assurance ProgramAssessment and Diagnostic Service 10Risk Assessment (incorporating AssetInventory, Mission Requirements DrivenPolicy, Threats, Vulnerabilities, associatedRisk, Countermeasures, ROI, and strategicaction implementation plan)Penetration Testing and AnalysisFinancial (budget) AssessmentDiagnostics Security Reviews of specificplatformsAsset Inventory AnalysisSecurity Readiness ReviewsSecurity Testing and Evaluation(documentation, testing and Evaluation)Government Information Security Reform Act(GISRA) ReviewCritical Infrastructure Protection AnalysisCertification and Accreditation(System Security Authorization Agreement)Data/Information Integrity AssessmentSite Surveys and AnalysisTools (i.e., EMM@, ESAS, Buddy System)pc
Information Assurance ProgramManagement Services 11Policy DevelopmentTechnical WritingStandardsManagement InfrastructureEducation Training and AwarenessBusiness & Technical DisasterRecovery (documentation, training andtesting)Management TrainingContinuity Of Operations (COOP)DevelopmentCapacity ManagementConfiguration ManagementIAP MetricsKnowledge ManagementDistance LearningStrategic Management ConsultingEconomic Securitypc
Information Assurance ProgramArchitecture Services Enterprise-Wide Architecture Network Security architecture andSpecialized Architectures Security Product Review & Analysis Security Program Review & Analysis Life Cycle Methodology Development Configuration Security Architecture and DesignArchitectureServices12pc
Information Assurance ProgramImplementation Services 13Commercial security products (COTS)EncryptionSingle Sign OnFirewallsServersRoutersWeb/Internet ServicesVPNsPublic Key Infrastructure (PKI)Secured Electronic Transaction (SET)Digital CertificatesCertificate Authority DesignAuthenticationDirectory ServicesSmart CardsBiometricsWirelesspc
Information Assurance ProgramIncident Investigation and AssuranceServices Investigation and recovery fromcomputer security incidents Data Forensics Incident Reporting and responseservices CERT/NOC capabilities Vulnerability Alerts Virus Alerts Unauthorized intrusion detection14pc
Information Assurance ProgramHow To Get There!Where You Are!CurrentITProgramWhere You Want To ing on the strengths of your current Y2K Infrastructure, the nextstep is to move to a world class Information Assurance Program.15pc
COBIT Information Technology Governance InstituteControl Objectives for Information and relatedTechnology16pc
COBIT: An IT control frameworkXStarts from the premise that IT needs todeliver the information that the enterpriseneeds to achieve its objectivesXPromotes process focus and processownershipXDivides IT into 34 processes belonging tofour domainsXLooks at fiduciary, quality and securityneeds of enterprises and provides forseven information criteria that can be usedto generically define what the businessrequires from ITXPlanningXAcquiring & ImplementingXDelivery & liance17pc
COBIT : An IT control frameworkXAhigh-level control objective for each process identifyingwhich information criteria are mostimportant in that IT process stating which resources will usually be leveraged providing considerations on what is important forcontrolling that IT processX 318detailed control objectives for managementand IT practitionersX Extensive audit guidelines building on theseobjectives18pc
COBIT Management GuidelinesAnswers Key Management QuestionsThrough the use of:Maturity ModelsCritical Success FactorsKey Goal IndicatorsKey Performance Indicators19pc
COBIT Management GuidelinesGeneric Maturity Model0 Non-Existent. Complete lack of any recognizable processes. The organization has not even recognizedthat there is an issue to be addressed.1 Initial. There is evidence that the organization has recognized that the issues exist and need to beaddressed. There are however no standardized processes but instead there are ad hoc approaches that tend tobe applied on an individual or case by case basis. The overall approach to management is disorganised.2 Repeatable. Processes have developed to the stage where similar procedures are followed by differentpeople undertaking the same task. There is no formal training or communication of standard procedures andresponsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals andtherefore errors are likely.3 Defined. Procedures have been standardized and documented, and communicated through training. It ishowever left to the individual to follow these processes, and it is unlikely that deviations will be detected.The procedures themselves are not sophisticated but are the formalization of existing practices.4 Managed. It is possible to monitor and measure compliance with procedures and to take action whereprocesses appear not to be working effectively. Processes are under constant improvement and provide goodpractice. Automation and tools are used in a limited or fragmented way.5 Optimized. Processes have been refined to a level of best practice, based on the results of continuousimprovement and maturity modeling with other organizations. IT is used in an integrated way to automatethe workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.20pc
COBIT Management GuidelinesMaturity Models for Self-Assessment21pc
IT GovernancePOAIDSMO22pc
SysTrustSMAmerican Institute of Certified PublicAccountants/Canadian Institute of CharteredAccountantsSystems Reliability Assurance Service23pc
SysTrustOpinion on controls– Based on a framework of principles & criteria– Identify and assess the operating effectiveness ofcontrols that support the criteriaA system must meet all principles & all criteria to beconsidered “Reliable”– Reporting on less than 4 principles is permitted– All criteria related to the principle must be met24pc
SysTrustSysTrust as an Assurance ServiceSysTrust used to manage internal risk– New applications being developed and/or implemented– Applications already in useSysTrust use to manage 3rd party riskPartner systems– 3rd party service-bureau systems– Online marketplaces/exchanges25pc
SysTrustSysTrust as Consulting EngagementSysTrust is a benchmark on controlsOpportunity to identify control weaknessesCurrent engagements started as consultingGreater market for Consulting or Assurance?26pc
SysTrustSystem reliability is defined as:“A system that operates without material error,fault or failure during a specified time in aspecified environment.”Four Principles:27- Availability- Security- Integrity- Maintainabilitypc
Managing Security of InformationInternational Federation of AccountantsInternational Information Technology Guideline28pc
Managing Security of InformationCore PrinciplesAccountability - Responsibility and accountability mustbe explicitAwareness - Awareness of risks and security initiativesmust be disseminatedMultidisciplinary - Security must be addressed taking intoconsideration both technological and non-technologicalissuesCost Effectiveness - Security must be cost-effective29pc
Managing Security of InformationCore PrinciplesIntegration - Security must be coordinated and integratedReassessment - Security must be reassessed periodicallyTimeliness - Security procedures must provide for monitoringand timely responseSocietal Factors - Ethics must be promoted by respecting therights and interests of others30pc
Managing Security of InformationImplementation ApproachPolicy DevelopmentRoles and eness, Training, and EducationINFORMATION SECURITY POLICY STATEMENT EXAMPLE31pc
Board Briefing on Information Technology GovernanceInformation Security GovernanceCo-Badged by a Number of LeadingOrganizations32pc
Information Technology Governance“IT governance is the term used to describe how thosepersons entrusted with governance of an entity willconsider IT in their supervision, monitoring, controland direction of the entity. How IT is applied withinthe entity will have an immense impact on whetherthe entity will attain its vision, mission or strategicgoals.”ITGI document: Board Briefing on Information Technology Governance33pc
Information Security Governance“Executive management has a responsibility toensure that the organization provides all userswith a secure information systemsenvironment. Furthermore, organizations needto protect themselves against the risks inherentin the use of information systems whilesimultaneously recognising the benefits thatcan accrue from having secure informationsystems.”ITGI document: Information Security Governance34pc
Center for Internet Security35pc
Center for Internet Securityis developing: best-practice benchmarks that define the specifictechnical settings that will provide increasedsecurity for Internet-connected systems a security ruler that defines which of those specificsettings will increase the relative security of yoursystems automated tools to continuously monitor thesecurity status of your systems36pc
Web Sites COBIT -- www.itgi.org SysTrustSM -- www.aicpa.org Managing Security of Information -- www.ifac.org Board Briefing on Information TechnologyGovernance -- www.itgi.org Information Security Governance – www.itgi.org Center for Internet Security – www.cisecurity.org37pc
QUESTIONS?38pc
Contact Information:John W. Lainhart IV703/741-1647john.w.lainhart@us.pwcglobal.com39pc
Information Assurance Program. Management Services. Information Assurance Program. Develop a cross functional (technical, physical, personnel and environmental) matrix team consisting of empowered management and staff who are tasked to develop and manage long-term strategic direction for the organization Information Assurance Program incorporating:
Auditing and Assurance Services Week 2 1. ASSURANCE What is assurance and what are the different types and levels of assurance? Five elements: Three-parties relationships, subject matter, suitable criteria, sufficient appropriate evidence, written assurance report T
critical issues the University has established a Quality Assurance Directorate, which is mandated to develop a Quality Assurance Framework and a Quality Assurance Policy. The Quality Assurance Framework would clearly spell out the Principles, Guidelines and Procedures for implementing institutional quality assurance processes.
Federal Information Security Management Act DODD 8570.01 Information Assurance Training, Certification, and Workforce Management DOD 8570.01- M Information Assurance Workforce Improvement Program SECNAVINST M-5239.3B DON Information Assurance Program SECNAVMAN 5239.2 IAWF Management Manual to Support IA WIP
Quality Assurance and Improvement Framework Guidance 2 Contents Section 1: Quality Assurance and Improvement Framework 1.1 Overview 1.1.1 Quality Assurance (QA) 1.1.2 Quality Improvement (QI) 1.1.3 Access 1.2 Funding Section 2: Quality Assurance 2.1 General information on indicators 2.1.1 Disease registers 2.1.2 Verification
Introduction to Assurance and Financial Statement Auditing 1 Chapter 1 An Introduction to Assurance and Financial Statement Auditing 2 Tips for Learning Auditing 4 The Demand for Auditing and Assurance 5 Principals and Agents 5 The Role of Auditing 6 An Assurance Analogy: The Case of
Auditing and Assurance Standing for trust and integrity Survey on the Provision of Alternative Assurance and Related Services Across Europe July 2009. Survey on the Provision . alternative assurance or related services are provided.17 2.3.3.7. The quality assurance
International Standards on Auditing Chapter 14 –Other Assurance and Non-Assurance Engagements Rick Hayes, Hans Gortemaker and Philip Wallage. . Assurance engagements other than (1) Related Services ISA’s 100–999 IAPS’s 1000–1999 ISRE’s 2000–
ALEX RIDER www.anthonyhorowitz.com. Never Say Die Exclusive Extract The start of another day. Alex went into the bathroom, showered and cleaned his teeth. Then he got dressed. He had started school a week ago, arriving at the start of the fall semester – the autumn term, he would have called it back in London. There was no uniform at the Elmer E. Robinson High School. Today, Alex threw on .
