Cybersecurity Risk – Uncertainty of potentially harmful events

advertisement
Cybersecurity Risk
– Uncertainty of potentially harmful
events
related to Cybersecurity
• Cybersecurity Risk
Management
– Process of managing (reducing)
potentially
harmful uncertain events due to the
lack of
effective Cybersecurity
Risks Arise at Different
Levels
• Strategic – high-level goals,
aligned with
and supporting its mission
• Tactical – tactical goals,
programs/projects
aligned with resources
• Operations – effective and
efficient use of
its resources
• Reporting – reliability of
reporting
• Compliance – compliance with
applicable
laws and regulations.
Information Security:
Types of Risk
• Physical damage. Fire, water, vandalism,
power loss,
and natural disasters
• Human interaction. Accidental or
intentional action or
inaction that can disrupt productivity
• Equipment malfunction. Failure of
systems and
peripheral devices
• Inside and outside attacks. Hacking,
cracking, and
attacking
• Misuse of data. Sharing trade secrets,
fraud,
espionage, and theft
• Loss of data. Intentional or unintentional
loss of
information through destructive means
• Application error.
Policy
• A policy is a general statement
designed
to guide employees' actions in
recurring
situations.
• It establishes broad limits,
provides
direction, but permits some
initiative and
discretion on the part of the
supervisor.
Procedure
• A procedure is a sequence of
steps or
operations describing how to
carry out an
activity and usually involves a
group.
• More specific than a policy, a
procedure
establishes a customary way of
handling a
recurring activity.
An asset is anything within an environment that
should be protected.
Asset valuation is a dollar value
assigned
to an asset based on actual cost
and
nonmonetary expenses.
Any potential occurrence that may cause an
undesirable or
unwanted outcome for an organization or for a
specific asset is a
threat.
The absence of or the weakness
of a
safeguard or countermeasure is
called a
vulnerability.
Exposure is being susceptible to
asset
loss due to a threat;
Risk is the possibility that a threat will exploit a
vulnerability to cause
harm to an asset.
A safeguard, or countermeasure, is
anything that
removes a vulnerability or protects against
one or more
specific threats.
A breach is the occurrence of a
security
mechanism being bypassed or
thwarted by a
threat agent.
A common model for classifying attacker
goals is the
STRIDE model:
– Spoofing – Posing as another user, component,
or external
system that should be identified by the system
– Tampering – Unauthorized modification of data
– Repudiation – Denying performing an action
without the system
being able to prove otherwise
– Information Disclosure – Exposure of protected
data to an
unauthorized user
– Denial of Service – Disallowing valid users to
access the
system
– Elevation of Privileges – Gaining privileged
access by a lower
privileged user
DREAD Model
Another method for determining
risk is
the DREAD model:
– Damage potential – How great is the damage
if the
vulnerability is exploited?
– Reproducibility – How easy is it to reproduce
the attack?
– Exploitability – How easy is it to launch an
attack?
– Affected users – As a rough percentage, how
many users are
affected?
– Discoverability – How easy is it to find the
vulnerability?
Risk = Min(D, (D+R+E+A+D) / 5)
– Risk Acceptance - doing nothing
– Risk Transference - pass risk to an externality
– Risk Avoidance - removing the feature/component
that causes
the risk
– Risk Mitigation - decrease the risk
Internet Threat Hierarchy
Risk Analysis
A risk analysis has four main
goals:
• Identify assets and their values
• Identify vulnerabilities and
threats
• Quantify the probability and
business
impact of these potential threats
• Provide an economic balance
between the
impact of the threat and the cost
of the
countermeasure
Total risk = Σ(E + T + C + P)
where:
E represents the risks from the
general
economy
T represents technology risk
C represents risks from
competition
P represents risk surrounding
the product
Itself
The exposure factor (EF) represents the
percentage of
loss that an organization would experience
if a specific
asset were violated by a realized risk.
The annualized rate of occurrence (ARO)
is the
expected frequency with which a specific
threat or risk
will occur (i.e., become realized) within a
single year.
The annualized loss expectancy
(ALE) is the
possible yearly cost of all instances
of a specific
realized threat against a specific
asset.
EF (Exposure Factor) = Percentage
of asset
loss caused by identified threat.
• SLE (Single Loss Expectancy) =
Asset value *
Exposure Factor
• ARO (Annualized Rate of
Occurrence) =
Estimated frequency a threat will
occur within a
year.
• ALE (Annualized Loss Expectancy)
= Single
Loss Expectancy * Annualized Rate
of
Occurrence
Once countermeasures are implemented, the risk
that remains is
known as residual risk.
Physical security critical to
security of
cyber environment
Security for protection of data
and system
from unauthorized access and
unauthorized or unintentional
change or
disturbance of data processing
IA is the process of ensuring that
the right people get the right information at
the right time.
V & V Model
Scrum and XP
• Pair programming
• Test-driven development
• Collective code ownership
• Coding standards
Kanban has proven useful for teams
– that struggle to decompose and fit
work into
single iterations (to make stories
smaller)
– teams that struggle with the definition
of
customer‐valued work (potentially
shippable
version after each sprint)
A Coding Dojo
• A Coding Dojo is a place where programmers
come to improve
their skills, by following a pattern similar to the
martial arts dojo.
• Participants meet for at a pre‐arranged time in a
room that has one
computer attached to a screen.
• A programming challenge is posed for each
session.
• There are a couple of ways this is done that will be
discussed later.
• During the session, the group spends a pre‐set
amount of time
developing a solution to the challenge.
• At the end of the session the code is discarded
(often it is archived
for future reference and study).
• The amount of time spent on the problem is fixed.
• Regardless of the state of the solution, when the
time expires, the
session is done.
Code Katas
• Kata (Japanese for form or pattern) are
an exercise
where the novice repeatedly tries to
emulate a master.
• In karate, these kata are a sequence of
basic moves
(kicks, blocks, punches, and so on), strung
together in a
way that makes sense.
• You’ll never be attacked in such a way
that you could
repeat a kata to defend yourself: that isn’t
the idea.
• Instead the idea is to practice the feel
and to
internalize the moves.
– (Interestingly, kata are not just used in the
martial arts.
Calligraphers also learn using kata, copying
their masters’
brush strokes.)
Kumite
• Once you get some way into your
training, you
start kumite, or sparring.
• Kumite is a supervised exercise
between two
students, or between a student and a
master.
• Here they learn to assemble the
basic moves into
coherent sequences, combining
offensive and
defensive elements into something
that works.
• While kata could be considered
static, repeating
the same sequence over and over,
kumite is
dynamic.
Koans are questions without
absolute answers
which are used to break down
assumptions
and reveal underlying truths.
A secure product is one that
protects the
confidentiality, integrity, and
availability of the
customers’ information, and the
integrity and
availability of processing resources
under control
of the system’s owner or
administrator.
Software security—the process of
designing,
building, and testing software for
security.
The Software Assurance Maturity
Model is an
open framework to help
organizations
formulate and implement a
strategy for
software security that is tailored to
the
specific risks facing the
organization.
Agile secure programming




Customer focused
Responsive
Iterative
Trustworthy
Domains of IT
The four Ps of Strategy
• perspective: the distinctive
vision and
direction
• position: the basis on which
the provider
will compete
• plan: how the provider will
achieve their
vision
• pattern: the fundamental way
of doing
things – distinctive patterns in
decisions
and actions over time
Benefits of ITSM
• Aligns IT with the business needs
• Moves from a technology to service
based
culture
• More ability to absorb rapid change
• Improves quality of IT services
• IT perceived as offering value to the
organisation
• Ensures everyone speaks the same
language
Incident Management
Incident management seeks to
restore client
service as soon as possible
while
minimizing any negative effect
on his/her
work
Description – End users (the
customers of the
IT department) need a clearly defined
point of
contact. Incident management’s
center of
attention is the restoration of the
agreed service
level in a speedy and uniform
manner.
• Goal –Swift restoration of normal
service
operation (normal, as defined within
SLA limits)
and minimal impact on business
processes.
Problem Management
• Description – problem
management is
focused on preventive measures
and the
identification of the root cause of
incidents.
• Goal – An efficient and timely
solution for
problems is based on the
definition of
clear priorities.
Configuration
Management
Account for and document all the IT
organization
assets and configurations to support
all the
other Service Management
processes
Description – management of the
configuration
is essential to tap the full potential of
an
application system. Configuration
management
is responsible for providing the
information
necessary for planning and
monitoring of the
resources.
• Goal – There is no single goal of
the
configuration management process,
rather there
are multiple goals:
– Account for IT assets and configurations.
– Verify the configuration records and
correct
exceptions.
– Provide accurate information on
configurations and
the referring documentation as well as a
sound basis
for other processes (incident, problem,
change and
release management).
Change Management
The objective of change
management is to
carry out changes economically
and in a
timely manner with minimal risk
Description – Even though services
evolve
constantly, the quality of services
delivered to
core business processes may not be
disrupted.
Reliable change management treats
planning
and supervising of changes to the
existing
infrastructure thus minimizes the risk
of damage
to existing and new application
systems,
infrastructure and services.
• Goal – Changes are implemented
within the
agreed time and minimal risk.
Release Management
Successful planning and control
of hardware
and software installations
Description – Assurance that only
tested and
approved applications are rolled out
is becoming
more and more important, as
different operating
systems, different locations and an
increased
frequency of patches complete the
release
management.
• Goal – Approved and accredited
components
(hardware, software, firmware as well
as
documents) are installed trouble-free
and on
schedule.
Service Level
Management
• Description – With a sound service
level
management, clear interfaces and
specification
of services are defined with
customers (senior
management). Users and internal as
well as
external suppliers are defined and
managed.
Internal operational level agreements
and
contracts with external suppliers
facilitate
adherence to negotiated service level
agreements.
• Goal – The goal is to ensure the
compliance of
the services delivered with the level
of services
demanded and agreed upon.
Service Level
Management
Tasks
• Negotiate and modify service level
requirements
with business and clients
• Monitor and report on the actual
service level
• Plan and implement continuous
improvements in
services and service levels
• Prepare and maintain a service
catalogue
Service Level
Management
Benefits
• The required level of service is
unambiguous,
consistent and measurable
• There is an appropriate balance
between
service costs and desired service
levels
• Customer productivity is enhanced
by the
provision of improved services
• Objective proof of the service
quality delivered
helps prevent differences of opinion
• The number and ramifications of
unplanned
requirements are reduced
Service Level
Management
Key Performance
Indicators
• Extent of coverage of the IT
services
• Number of deviations from the
agreed service
levels
• Customer satisfaction
• Availability of the services
Financial Management for
IT
Services
• Description – Management of
expenses
and accurate redistribution of
costs
improve the availability of
financial
resources.
• Goal – Finance-related
information is
provided to establish costoriented
steering of the organization.
Capacity Management
• Description – Proactive
identification of
performance requirements ensures a
continuous
level of service and a proper
management of
resources. A sound management of
capacity
considers three levels:
– Business capacity
– Service capacity
– Resource capacity
• Goal – Providing the appropriate
capacity
ensures the delivery of the service at
an agreed
level.
Capacity Management
Key Performance
Indicators
• Workload of IT services
• Reserves
• Number of bottlenecks
• Capacity utilization rate of staff and
systems
• Costs: economic use of resources
• Ability to meet deadlines when
providing
Resources
IT Service Continuity
Management
• Description – By minimizing
negative
effects caused by disastrous and
unpredictable events, disruption
of the
core business processes is to be
minimized.
• Goal – The goal is to provide a
predetermined and agreed level
of
services in case of a disastrous
event.
Service Continuity
Management
Tasks
• Carry out risk analyses as part of
business
continuity management
• Prepare recovery plans for IT
services and
necessary investments in order to
implement
them
• Test and verify plans to be able to
restore the
services in an emergency in the time
required,
safely and in a controlled way
• Keep the recovery plans up to date
Service Continuity
Management
Benefits
• Restrictions to daily business and
loss of data
in the event of a disaster are reduced
• By implementing preventative
measures, the
number of failures is reduced to a
minimum
Service Continuity
Management
Key Performance
Indicators
• Business continuity service level
(time delay and
data loss in case of a catastrophic
event)
• Investment and maintenance costs
of the IT
recovery solution
• Test successes (technology,
business cases,
and current status of data)
• Process costs
Availability
Management
• Description – Continuous
monitoring and
improvement of the availability of
systems
minimizes outages and thus
improves the
availability of services.
• Goal – The goal is to ensure
the
consistent availability of IT
services as
required by the business
processes.
Availability Management
Tasks
• Determine availability requirements
• Prepare availability forecasts
• Prepare an availability plan
• Determine the actual availability
• Prepare reports
• Improve the agreed availability
Availability Management
Benefits
• IT services are designed and
controlled so
that contracted availability is
achieved
• Service quality improves and cost
reduces
• Fewer problems
• Less maintenance and down time
• More detailed information is
available for
service level negotiations
Availability Management
Key Performance
Indicators
• Productive time lost by customers
• Income lost
• Materials consumed
• Client satisfaction
Security Management
Definition
Protect data and infrastructures so
that
• confidentiality is appropriately
preserved
• integrity of information is ensured
• availability is ensured
• conducting a transaction is not
denied
• obligations imposed by law,
contractual
arrangements and supervisory
bodies can be
fulfilled
Security Management
Tasks
• Develop security plan, guidelines
and policies
• Manage roles & responsibilities
• Prepare confidentiality agreements
for personnel
• Promote increased security
awareness
Security Management
Benefits
• Increased security for data, systems and
applications
• Prevention of data loss
• Ensured data integrity
• Guarantee of data confidentiality
• Compliance with statutory obligations
concerning data
protection
• Increased client confidence
• Increased awareness of employees about
security
Issues
Security Management
Key Performance
Indicators
• Internal and external security audits
• Number of intrusions detected,
firewall attacks,
virus attacks etc.
• Damage that occurs during security
intrusions
• Process costs
Comparison of ITIL to
BS15000
ITIL
– Provides framework for best practice
– Can assess maturity
– Flexible and adaptable
BS 15000
– Normative reference
– Internationally recognised certification
– Prescriptive
– Cannot assess maturity
– Only pass or fail
Types of Disasters
What is BCM? (cont.)
• Elements include
– Principles of Risk Management
– Design and implementation of Crisis Management and
Emergency
Operations Programs
– Planning for recovery and continued availability of
operations during
disruptive events
– Designing and implementing business process manual
procedures for
use during a disruption
– Designing and implementing secure, fail-proof (faulttolerant) systems
for continuous availability
– Designing and implementing threat prevention and
detection systems
– Encompasses development of procedures, acquisition of
resources,
testing, and maintenance
Business Continuity
Management
Life Cycle
Risk Assessment
General risk:
– Natural Events - risk driven by natural or
act of God
– Technological Events - risk driven by
technology, broadly defined
– Human Events - event driven by acts of
specific individuals both internal and
external to the organization
Business Impact Analysis
Governance
Availability/Recovery
Strategies
BCM Plans &
Documentation
Resource Acquisition &
Implementation
Training & Awareness
Testing
Continuous
Improvement/QA
Incident Response Life
Cycle
1. Preparation (malware-specific incident
handling policies and procedures, malwareoriented training and exercises)
2. Detection and Analysis (Early
detection
can help the organization minimize
the number of infected systems)
3. Containment (stopping the spread of the malware and
preventing further damage to systems), Eradication
(remove malware from infected systems),
and Recovery (restoring the functionality and
data of infected systems and removing
temporary containment measures)
4. Post-Incident Activity (Software
Reconfiguration, Malware Detection Software
Deployment, Awareness Program Changes,
Security Policy Changes).
CIP Goals
CIP Roles
Government
“What’s the goal”Levels
Infrastructure
“Prioritize Risks”
Public-Private Partnership
“What’s critical”
Operators
“Best control solutions”
Establish and Exercise
Emergency plans
• Public and private sector organizations can benefit
from developing joint
plans for managing emergencies – including
recovering critical functions
in the event of significant incidents, including but
limited to natural
disasters, terrorist attacks, technological failures or
accidents.
• Emergency response plans can mitigate damage
and promote resiliency.
• Effective emergency response plans are generally
short and highly
actionable so they can be readily tested, evaluated,
and implemented.
• Testing and exercising emergency plans promotes
trust, understanding
and greater operational coordination among public
and private sector
organizations.
• Exercises also provide an important opportunity to
identify new risk
factors that can be addressed in response plans or
controlled through
regular risk management functions.
The Security Development Lifecycle
Product Inception
Assign security advisor
Identify security milestones
Plan security integration into product
Design
Define security architecture and design guidelines
Document elements of software attack surface
Threat Modeling Standards, best practices, and tools
Apply coding and testing standards
Apply security tools (fuzzing tools, staticanalysis tools, etc)
Security Push
Security code reviews
Focused security testing
Review against new threats
Meet signoff criteria
Final Security Review
Independent review conducted by the security team
Penetration testing
Archiving of compliance info
RTM and Deployment
Signoff
Security Response
Plan and process in place
Feedback loop back into the development process
CIP and CIIP
Industry Capabilities
Government
Capabilities
Computer Security Incident
Response Teams (CSIRT)
A CSIRT is a service organization
that is
responsible for receiving, reviewing,
and
responding to computer security
incident reports
and activity.
• Its services are usually performed
for a defined
constituency that could be a parent
entity such
– as a corporation,
– government, or educational organization;
– a region or country;
– a research network; or
– a paid client.
A CSIRT may also perform a
proactive role. This
may include
– providing security awareness training,
– security consulting,
– Configuration maintenance, and
– producing technical documents and
advisories.
The goals of a CSIRT must be based on
the business
goals of the constituent or parent
organizations.
• Protecting critical assets is key to the
success of both an
organization and its CSIRT.
• The goal of a CSIRT, in this context, is to
minimize and
control the damage, provide effective
response and
recovery, and work to prevent future events
from
happening.
• In this role the CSIRT collects incident
information,
security weaknesses, and software and
system
vulnerabilities in the organizational
infrastructure or
– within a constituency.
In a commercial, military, educational, or
government
setting, the CSIRT becomes a focal point
for business
intelligence within the organization and a
primary source
of authentic risk data.
• This information can provide an important
data feed into
operational risk modeling.
• The CSIRT can be seen as a key element
in loss
minimization and risk mitigation.
• In this same manner, the CSIRT’s role as
a central
repository allows it to gather an enterprisewide picture
of security issues as it relates across the
organization.
• This also allows the CSIRT to link together
events that
may not have been seen to be related when
looked at
– individually.
Types of CSIRTs
CSIRTs come in all shapes and sizes and
serve diverse
constituencies.
– Some CSIRTs, such as the Japan Computer
Emergency
Response Team Coordination Center
(JPCERT/CC), support an
entire country.
– Other CSIRTS may provide support to a particular
university
such as Oxford,
– a commercial organization such as Boeing or SUN
Microsystems, or
– a particular domain or IP range such as the Telia
CERT
Coordination Centre (TeliaCERTCC).
• There are also corporate teams and
organizations that
provide CSIRT services to clients for a fee,
such as
– IBM Managed Security Services (IBM-MSS) or
– – the debis Computer Emergency Response
Team (dCERT).
Categories of CSIRTs
Internal CSIRTs provide incident handling services
to their parent
organization, which could be a bank, a university, or
a federal
agency.
• Coordination centers coordinate and facilitate the
handling of
incidents across various CSIRTs, or for a particular
country, state,
research network, or other such entity.
• Usually coordination centers will have a broad
scope and a diverse
constituency.
• Analysis centers focus on synthesizing data from
various sources to
determine trends and patterns in incident activity.
This information
can then be used to help predict future activity or
provide early
warning when current activity matches a set of
previously
determined characteristics.
Vendor teams located in software or
hardware
companies and handle reports concerning
vulnerabilities
in their products.
• They analyze the vulnerabilities, develop
patches or
workarounds, and disseminate this
information to their
clientele or to the broader public.
– They work with other CSIRTs, security experts,
and researchers
to track and respond to these vulnerabilities.
• Incident response providers provide
incident handling
services as a product to other
organizations.
• They are sometimes referred to as
managed security service providers
(MSSPs).
FIRST
Goals were to share information among
CSIRTs and, if
needed, to aid one another during incidents
and
network-wide attacks.
• The CSIRT community is still pursuing
these goals
today.
• Teams working in various collaborations
are looking for
the most effective way to establish a
coordination
network.
• In November 1990 IT WAS DECIDED to
establish a
forum for CSIRTs and security teams,
which is now the
Forum of Incident Response and Security
Teams
(FIRST).
FIRST is primarily a network of
registered
members, either CSIRTs or security
teams.
• The members work together
voluntarily and
concentrate on the
– prevention of incidents,
– sharing of information,
– sharing of vulnerability and artifact
analysis, and
– coordination of response activities,
where appropriate, when an incident
occurs.
IT Governance
The processes that ensure that
the
organization's IT sustains and
extends the
organization's strategies and
objectives
Compliance is the assessment
of work products and processes
against standards.
enable the strategic and tactical alignment of IT ·
understand the value and impact of IT
investments (dollars, human resources, and capital)
identify opportunities for improved IT utilization
support visible and transparent decision making
establish and sustain effective IT policies
establish performance measurements
identify and mitigate risks
satisfy regulatory and formal compliance
requirements
IT Governance
Framework
Linking Business Goals
and IT Processes
IT Governance Process
IT Governance Life
Cycle
Goals for IT Governance
(1) assure that the investments in IT
generate
business value, and
(2) mitigate the risks that are
associated with IT.
IT Governance
Focus Areas of IT
Governance
Strategic alignment, with focus on aligning
with the
business and collaborative solutions
– Value delivery, concentrating on
optimizing
expenses and proving the value of IT
– Risk management, addressing the
safeguarding of
IT assets, disaster recovery and continuity
of
operations
– Resource management, optimizing
knowledge and
IT infrastructure
• None of these factors can be
managed
appropriately without:
– Performance measurement, tracking
project
delivery and monitoring IT services
IT Strategic Alignment
IT Risk Management
The board should manage enterprise risk by:
Ascertaining that there is transparency about
the significant
risks to the organization
Being aware that the final responsibility for
risk
management rests with the board
Being conscious that risk mitigation can
generate
cost-efficiencies
Considering that a proactive risk
management approach
creates competitive advantage
Insisting that risk management is embedded
in the
operation of the enterprise
IT BSC Measures
Governance Enablers
Governance enablers are the
organisational
resources for governance, such as
frameworks,
principles, structure, processes and
practices,
toward which or through which action
is directed
and objectives can be attained.
• Enablers also include the
enterprise’s resources,
e.g., service capabilities (IT
infrastructure,
applications, etc.), people and
information.
Given the importance of governance
enablers,
COBIT 5 includes a single way of
looking at and
dealing with enablers.
Governance Scope
Governance can be applied to the
whole
enterprise, an entity, a tangible or
intangible
asset, etc.
• That is, it is possible to define
different views of
the enterprise to which governance is
applied,
and it is essential to define this scope
of the
governance system well.
Goal of IT Value
Governance Framework
The goal of the IT Value Governance
Framework initiative is to help
management
ensure that organizations realize
optimal value
from IT-enabled business
investments at an
affordable cost with a known and
acceptable level of risk.
• IT Value Governance Framework
provides
guidelines, processes and supporting
practices
to assist the board and executive
management
in understanding and carrying out
their roles
related to such investments.
• Value Governance (VG)
Practices
• Portfolio Management (PM)
Practices
• Investment Management (IM)
Practices
IT Risk Governance
Enterprises are dependent on
automation and integration
• Need to cross IT silos of risk
management
• Important to integrate with
existing levels
of risk management practices
Risk IT’s Three Domains
COSO is a voluntary private sector
organization dedicated to improving the
quality of financial reporting through
business ethics, effective internal control
and corporate governance.
COSO identifies five essential
components
of effective internal control. They
are:
– Control environment
– Risk assessment
– Control activities
– Information and communication
– Monitoring
While the importance of IT controls is
embedded
in the COSO internal control
framework, IT
management requires specific
examples to help
identify, document and evaluate IT
controls.
• The COSO framework has been
rapidly adopted
by financial auditors as a means
implanting
controls for the financial reporting
process.
SOX
Strategy
Strategy is simply how to deploy your
resources
to generate maximum value for
stakeholders.
• Where dayto-day operations is
about
doing things right,
strategy is about doing the right
things.
8
• Strategy sets the potential value
that an
enterprise can deliver and, as such,
is a key
activity.
• However, in most enterprises and
IS
organizations, strategy processes are
weaker,
less well-defined and less wellexecuted than
operations processes.
Effective IT Strategy
IT organizations and their teams
struggle
with developing an effective IT
strategy.
• They generally are confused
about how
the IT strategy fits with the
business
9
strategy and how to ensure that
the
strategy that is created can
endure over
time.
• Strategy is the bridge between policy or high-order
goals on the one hand and tactics or concrete actions
on the other.
• Strategy is a term that refers to a complex web of
thoughts, ideas, insights, experiences, goals, expertise,
memories, perceptions, and expectations that provides
general guidance for specific actions in pursuit of particular
ends.
• Strategy is at once the course we chart, the journey
we imagine and, at the same time, it is the course we
steer, the trip we actually make.
“Mission statements" and
"core values"
• “Mission statements" and "core
values" are not
included.
• The “strategy definition” framework
is about
action — what to do.
• Mission statements and core values
are about
24
how employees and their leaders
should behave
while taking those actions.
• They add style to a strategy, not
substance.
Because these statements and
values could
exist without a strategy or in support
of a
strategy, they should not be
misconstrued as a
strategy definition by themselves.
Vision
Vision is a short, succinct, and inspiring
statement of
what the organization intends to become
and to achieve
at some point in the future, often stated in
competitive
terms.
• Vision refers to the category of intentions
that are broad,
all-intrusive and forward-thinking.
• It is the image that a business must have
of its goals
before it sets out to reach them.
• It describes aspirations for the future,
without specifying
the means that will be used to achieve
those desired
ends.
Mission Statement
mission statement is an
organization's
vision translated into written
form.
• It makes concrete the leader's
view of the
direction and purpose of the
organization.
• For many corporate leaders it
is a vital
element in any attempt to
motivate
employees and to give them a
sense of
priorities.
Strategic Intent
• A strategic intent is a
company's vision of
what it wants to achieve in the
long term.
• It must convey a significant
stretch for your
company, a sense of direction,
discovery,
and opportunity that can be
communicated
as worthwhile to all employees.
• It should not focus so much on
today's
problems but rather on
tomorrow's
opportunities
Core Values
• Core values are the
organization’s
essential and enduring tenets—
a small set
of timeless guiding principles
that require
no external justification;
• They have intrinsic value and
importance
to those inside the organization.
Strategy Process
Preparation >> Planning >> Communication
>> Realization
Strategic planning
1. Selection of the corporate mission and
major corporate goals;
2. Analysis of the organization’s external
competitive
environment to identify opportunities and
threats;
3. Analysis of the organization’s internal
operating
42
environment to identify the organization’s
strengths
and weaknesses;
4. Selection of strategies that build on the
organization’s strengths and correct its
weaknesses
in order to take advantage of external
opportunities
and counter external threats (SWOT);
5. Strategy implementation.
SWOT Analysis
The SWOT analysis
– (strengths,
– weaknesses,
– opportunities, and
– threats)
examines the company’s internal strengths
and
45
weaknesses with respect to the
environment and the
competition and looks at external
opportunities and
threats.
• Opportunities may help to define a target
market or
identify new product opportunities, while
threats are
areas of exposure.
• A SWOT analysis should be to build on a
company’s
strengths in order to exploit opportunities,
counter
threats, and correct weaknesses.
Strengths - Think about what your company does
well. Some
questions to help you get started are: What makes
you stand out
from your competitors? What advantages do you
have over other
businesses?
• Weaknesses - List the areas that are a struggle for
your company.
Some questions to help you get started are: What do
your
customers complain about? What are the unmet
needs of your sales
force?
46
• Opportunities - Traditionally, a SWOT looks only at
the external
environment for opportunities. I suggest you look
externally for areas
your competitors are not fully covering, then go a
step further and
think how to match these to your internal strengths.
• Threats - As with opportunities, threats in a
traditional SWOT
analysis are considered an external force. By
looking both inside
and outside of your company for things that could
damage your
business, however, you may be better able to see
the big picture.
Internal Analysis
Factors should be evaluated across
the organization in areas such as:
• Company culture
• Company image
• Organizational structure
• Key staff
• Access to natural resources
• The SWOT analysis
summarizes the
internal factors of the
firm as a list of
strengths and
weaknesses.
• Position on the experience curve
• Operational efficiency
• Operational capacity
• Brand awareness
• Market share
• Financial resources
• Exclusive contracts
• Patents and trade secrets
External Analysis
• An opportunity is the chance to
introduce a new product or service
that can generate superior returns.
• Opportunities can arise when
changes occur in the external
environment.
• Many of these changes can be
perceived as threats to the market position of existing
products and
may necessitate a change in
product specifications or the
development of new products in
order for the firm to remain
competitive.
Changes in the external environment
may be related to:
• Customers
• Competitors
• Market trends
• Suppliers
• Partners
• Social changes
• New technology
• Economic environment
• Political and regulatory
The SWOT analysis summarizes the
external
environmental factors as a list of
opportunities and
threats.
BSC is a Top-down
Methodology
The BSC is a top-down methodology that
examines organizations from
– internal and external,
– financial and non-financial, and
– short- and long-term perspectives.
• The philosophy of the BSC is that
organizations are more effective when guided
and aligned by their mission and vision and
68
when focused on multiple perspectives.
• A good balanced scorecard is a mirror of an
organization’s strategy.
• The performance measures translate the
strategy into action.
• The term “balance” comes from an examination
of multiple perspectives instead of a single
financial perspective.
• It is not “balanced” in a mathematical sense
where perspectives are assigned weights to
calculate a final score.
Strategy Implementation:
Supporting Factors
• Action Planning (chronological
lists of action steps)
• Organization Structure
• Human Resources
• The Annual Business Plan
• Monitoring and Control
• Linkage
Cyber Security
Standards
Cyber security standards are security
standards which
enable organizations to practice safe
security techniques
in order to minimize the number of
successful cyber
security attacks.
• These guides provide general outlines as
well as specific
techniques for implementing cyber security.
• For certain specific standards, cyber
security certification
by an accredited body can be obtained.
• There are many advantages to obtaining
certification
including the ability to get cyber security
insurance.
ISO/IEC 27000-series
• ISO/IEC 27001 - the
certification standard
against which organizations'
ISMS may be
certified (published in 2005)
• ISO/IEC 27002 - the re-naming
of existing
standard ISO 17799
The outline is a high level guide to cyber security.
• It is most beneficial for an organization to obtain a
certification in order to be
recognized as compliant with the standard.
Information Security Policy
– Organization of information
security
– Asset Management
– Information security incident
management
– Business continuity
management
– Compliance
– Human resource security
– Physical and environmental
security
– Communication and
operations management
– Access control
– Information systems
acquisition, development and
maintenance
ISO/IEC 27006 - a guide to the
certification/registration process
(published
in 2007)
Plan-Do-Check-Act
Plan - Establish ISMS policy, objectives, processes
and procedures relevant to managing risk and
improving information security to deliver results in
accordance with an organization’s overall policies
and objectives.
Do - Implement and operate the ISMS policy,
controls, processes and procedures.
Check - Assess and, where applicable, measure
process performance against ISMS policy,
objectives and practical experience and report the
results to management for review.
Act - Take corrective and preventive actions, based
on the results of the internal ISMS audit and
management review or other relevant information, to
achieve continual improvement of the ISMS.
NIST 800-12
• Special publication 800-12 provides
a broad
overview of computer security and
control areas.
• It also emphasizes the importance
of the
security controls and ways to
implement them.
• Initially this document was aimed at
the federal government although
most practices in this
document can be applied to the
private sector as
well.
• Specifically it was written for those
people in the
federal government responsible for
handling
sensitive systems.
Process Maturity
IT Service Continuity
Management
Typically the following situations are
frequently found in
organisations:
• An historical lack of investment in
developing recovery
capability.
• Lack of understanding by senior
management and the
IT department on the ‘gap’ between
recovery
requirements and recovery capability.
• New projects and change management
processes do
not incorporate ITSC requirements.
• The extent of ITSC testing and technical
recovery
documentation is limited at best.
• Lack of synergy between ITSC and
business continuity
Policies and
Procedures
• Trust Models
• Security Policy Basics
• Policy Design Process
• Key Security Policies
• Key Security Procedures
Security Policies
• Without security policies, you have
no
general security framework.
• Policies define what behavior is and
is not
allowed.
• Policies will often set the stage in
terms of
what tools and procedures are
needed for the
organization.
• Policies communicate consensus
among a
group of “governing” people.
Trust Models
Trust everyone all of the time
– easiest to enforce, but impractical
– one bad apple can ruin the whole barrel
• Trust no one at no time
– most restrictive, but also impractical
– impossible to find employees to work under such
conditions
• Trust some people some of the time
– exercise caution in amount of trust placed in
employees
– access is given out as needed
– technical controls are needed to ensure trust is
not violated
Policies
People view policies as:
– an impediment to productivity
– measures to control behavior
• People have different views about the
need for
security controls.
• People fear policies will be difficult to
follow and implement.
• Policies affect everyone within the
organization
– most people resist measures which impede
productivity
– some people strongly resist change
– some people strongly resist the “big brother
syndrome”
– some people just like to “rock the boat”
• Policies must:
– be implementable and enforceable
– be concise and easy to understand
– balance protection with productivity
– be updated regularly to reflect the evolution of the
organization
• Policies should:
– state reasons why policy is needed
– describe what is covered by the policies - whom,
what, and where
– define contacts and responsibilities to outside
agencies
– discuss how violations will be handled
Determining Level of
Control
• Security needs and culture play major role.
• Security policies MUST balance level of control
with level of
productivity.
• If policies are too restrictive, people will find ways
to circumvent
controls.
• Technical controls are not always possible.
• Must have management commitment on level of
control.
Security Procedures
• Policies only define "what" is to be
protected.
Procedures define "how" to protect
resources and are
the mechanisms to enforce policy.
• Procedures define detailed actions to take
for specific
incidents.
• Procedures provide a quick reference in
times of crisis.
• Procedures help eliminate the problem of
a single point
of failure (e.g., an employee suddenly
leaves or is
unavailable in a time of crisis).
IT Auditing
Assesses the controls in use on
Information
Technology assets
• Should include hardware, software,
and network
infrastructure components
• Reports on an organization's
information
systems, practices, and operations
Internal Controls
• Auditing emphasizes the evaluation
of internal
controls
• Financial internal controls prevent
fraud or
misrepresentation
• A financial audit provides outside
interests with a
report of the adequate level of
controls
maintained by an organization
House of IT Controls
Enterprise Level
Controls
• Planning
• Operating style
• Policies
• Codes of Conduct
• Fraud Prevention
General IT Controls
• Maintenance
• Disaster Recovery
• Security
• Data Management
• Incident Response
Application Controls
• Embedded Controls
• Access
• Authorizations
• Approvals
• Tolerance Levels
• Reconciliations
• Edits
IT General Controls
– Program development
– Program changes
– Computer operations
– Access to programs and data
Audit Reporting
• In the financial realm, the audit
report is typically
known as an Opinion and written as
an open
memo or letter
• The Opinion offers the auditor’s
evaluation and
validity of observed controls,
including any
remediation suggested to enhance
controls
considered lacking
General IT Audit covers:
– Hardware, Operating Systems, Network
Infrastructure, security
• Application Audits:
– Review controls associated with thirdparty (COTS)
and custom, in-house developed software
– Database applications
Understanding IT Controls
IT control is a process that
provides assurance for
information and
information services, and
helps to mitigate risks
associated with use of
technology.
Hierarchy of Audit Activity
Importance of IT Controls
Needs for IT controls, such as
– controlling cost
– remaining competitive
– protecting of information
assets
– complying with laws and
regulation
• Implementing effective IT
control will improve
efficiency, reliability, flexibility
and availability of assurance
evidence
Types of IT Audits
Systems and Applications Relevancy –
verifies the IT system in place is
appropriate across the IT concerns of
the organization
• Business Continuity – assesses
ability to operate in disruptive periods
• Systems Development – assures
development of software meets
internal and generally accepted
practices of software development
IT Management Architecture –
reviews IT management practices
and processes
• Network Infrastructure – reviews
controls in place throughout the
networked environment, including
security of systems, devices, and
connectivity
Elements of an IT Audit
• Planning
• Fieldwork and Documentation
• Issue Discovery and Validation
• Solution Development
• Report Drafting and Issuance
• Issue Tracking and Post-Audit
Follow-up
Internal versus External
Auditing
In an internal audit a company’s own
accounting
employees perform the audit.
• Accountants working for an independent
firm
normally perform the external audit.
• The chief function of the external audit is
the attest function.
Information Systems (IS)
Auditing
Information systems auditing involves
evaluating the
computer’s role in achieving audit and
control objectives.
• The components of a computer-based IS
are
– people,
– procedures,
– hardware,
– data communications,
– software and
– databases.
• These components are a system of
interacting elements.
Related documents
Download