Chapter 2

advertisement
Information Security Governance
and Risk
Chapter 2
Part 1
Pages 21 to 69
Security in the Company
• “Organizations have many other things to do
than practice security. Businesses exist to
make money.”
Fundamental Principles
• Core goals of security (CIA)
• Confidentiality
• Integrity
• Availability
• Key Terms – page 25
Security Definitions
•
•
•
•
•
Vulnerability
Threat
Risk
Exposure
Control
• Key Terms – page 28
Control Types
• Administrative
• Technical
• Physical
• Defense in Depth
Functionalities of Controls
•
•
•
•
•
•
•
Deterrent
Preventive
Corrective
Recovery
Detective
Compensating
See page 30
Security through obscurity
• Dangerous
• Attackers are smart, motivated, and
dedicated.
Security Frameworks
• A security program
• BS7799
– 1995
– How an ISMS (Information Security Management
System) can be set up and maintained.
– Topics pages 36-37
ISO/IEC 27000
• ISO/IEC 27xxx modularized components.
• Figure 2-3 on page 39 (Plan-Do-Check-Act)
• How to develop and maintain a ISMS
Standards, Best Practices, Frameworks
• Page 40
• How can we make sense out of this?
Enterprise Architecture Development
• “understand the environment, understand the
security requirements of the business and the
environment and layout a strategy”
TOGAF
• The Open Group Architecture Framework
• Page 47 Figure
• Note
Zachman Architecture Framework
• Business enterprise architecture – not security
oriented
• Used to define the business environment.
• Table 2-2 on page 45
Enterprise Security Architecture
• Subset of enterprise architecture
• “The main reason to develop an enterprise
security architecture is to ensure that security
efforts align with business practices in a
standardized and cost-effective manner.”
• If no ESA, the answers on page 49 are “yes”
SABSA
• Sherwood Applied Business Security
Architecture
• Table 2-3 on page 50
• “Each layer of the model decreases in
abstraction and increases in detail so it build
upon others and moves from policy to
practical implementation of technology and
solutions.”
SABSA
• Strategic alignment – Business drivers and
regulatory and legal requirements are being
met
• Business enablement – security cannot stand
in the way of the business process, but should
enable it.
SABSA
• Process enhancement – while securing the
environment look at the improving the
business process
• Security investment – metrics to determine
the usefulness of security solutions.
ISMS vs Enterprise Security
Architecture
• ISMS (ISO/IEC 27000) specifies the pieces and
parts that need to put in place for a security
program.
• ESA (SABSA) specifies how the components of
a ISMS have to be interwoven throughout the
business environment.
Enterprise vs System Architecture
• EA – Security supports the organization
• SA – Systems need to support security
policies.
Security Control Development
• CobiT
• NIST 800-53
• COSO
Controls
•
•
•
•
Management
Technical
Operational
See Table 2-4 on page 58
CobiT
• ISACA
• The majority of security compliance auditing
practices used today in the industry are based
off of CobiT
• Checklist for IT governance
NIST 800-53
• U.S. Government checklist to insure agencies
are compliant with Federal Information
Security Management Act of 2002.
COSO
• Model for corporate governance
• Developed in 1985 to deal with fraudulent
financial activities and reporting
• SOX – Sarbanes-Oxley is based on COSO
• Companies implement ISO/IEC 27000 and
CobiT for COSO
Process Management Development
• How to manage the development of security
controls
ITIL
•
•
•
•
Information Technology Infrastructure Library
De facto standard for IT service management
Divide between business and IT people
ITIL security component focuses on security
level agreement between IT department and
internal customers.
• Figure 2-6 on page 61
Six Sigma
• Improve process quality using statistics
• Removing defect in manufacturing
CMMI
• Capability Maturity Model Integration
• Figure 2-7 on page 62
CMMI
1.
2.
3.
4.
Plan and organize
Implement
Operate and maintain
Monitor and evaluate
Top-down Approach
• The initiation and direction of security
programs should come from top management
Functionality vs Security
• Balancing act between security and allowing
the necessary level of functionality so that
productivity is not affected.
• Consult user and understand the business
Download