Cybersecurity Risk – Uncertainty of potentially harmful events related to Cybersecurity • Cybersecurity Risk Management – Process of managing (reducing) potentially harmful uncertain events due to the lack of effective Cybersecurity Risks Arise at Different Levels • Strategic – high-level goals, aligned with and supporting its mission • Tactical – tactical goals, programs/projects aligned with resources • Operations – effective and efficient use of its resources • Reporting – reliability of reporting • Compliance – compliance with applicable laws and regulations. Information Security: Types of Risk • Physical damage. Fire, water, vandalism, power loss, and natural disasters • Human interaction. Accidental or intentional action or inaction that can disrupt productivity • Equipment malfunction. Failure of systems and peripheral devices • Inside and outside attacks. Hacking, cracking, and attacking • Misuse of data. Sharing trade secrets, fraud, espionage, and theft • Loss of data. Intentional or unintentional loss of information through destructive means • Application error. Policy • A policy is a general statement designed to guide employees' actions in recurring situations. • It establishes broad limits, provides direction, but permits some initiative and discretion on the part of the supervisor. Procedure • A procedure is a sequence of steps or operations describing how to carry out an activity and usually involves a group. • More specific than a policy, a procedure establishes a customary way of handling a recurring activity. An asset is anything within an environment that should be protected. Asset valuation is a dollar value assigned to an asset based on actual cost and nonmonetary expenses. Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset is a threat. The absence of or the weakness of a safeguard or countermeasure is called a vulnerability. Exposure is being susceptible to asset loss due to a threat; Risk is the possibility that a threat will exploit a vulnerability to cause harm to an asset. A safeguard, or countermeasure, is anything that removes a vulnerability or protects against one or more specific threats. A breach is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. A common model for classifying attacker goals is the STRIDE model: – Spoofing – Posing as another user, component, or external system that should be identified by the system – Tampering – Unauthorized modification of data – Repudiation – Denying performing an action without the system being able to prove otherwise – Information Disclosure – Exposure of protected data to an unauthorized user – Denial of Service – Disallowing valid users to access the system – Elevation of Privileges – Gaining privileged access by a lower privileged user DREAD Model Another method for determining risk is the DREAD model: – Damage potential – How great is the damage if the vulnerability is exploited? – Reproducibility – How easy is it to reproduce the attack? – Exploitability – How easy is it to launch an attack? – Affected users – As a rough percentage, how many users are affected? – Discoverability – How easy is it to find the vulnerability? Risk = Min(D, (D+R+E+A+D) / 5) – Risk Acceptance - doing nothing – Risk Transference - pass risk to an externality – Risk Avoidance - removing the feature/component that causes the risk – Risk Mitigation - decrease the risk Internet Threat Hierarchy Risk Analysis A risk analysis has four main goals: • Identify assets and their values • Identify vulnerabilities and threats • Quantify the probability and business impact of these potential threats • Provide an economic balance between the impact of the threat and the cost of the countermeasure Total risk = Σ(E + T + C + P) where: E represents the risks from the general economy T represents technology risk C represents risks from competition P represents risk surrounding the product Itself The exposure factor (EF) represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk. The annualized rate of occurrence (ARO) is the expected frequency with which a specific threat or risk will occur (i.e., become realized) within a single year. The annualized loss expectancy (ALE) is the possible yearly cost of all instances of a specific realized threat against a specific asset. EF (Exposure Factor) = Percentage of asset loss caused by identified threat. • SLE (Single Loss Expectancy) = Asset value * Exposure Factor • ARO (Annualized Rate of Occurrence) = Estimated frequency a threat will occur within a year. • ALE (Annualized Loss Expectancy) = Single Loss Expectancy * Annualized Rate of Occurrence Once countermeasures are implemented, the risk that remains is known as residual risk. Physical security critical to security of cyber environment Security for protection of data and system from unauthorized access and unauthorized or unintentional change or disturbance of data processing IA is the process of ensuring that the right people get the right information at the right time. V & V Model Scrum and XP • Pair programming • Test-driven development • Collective code ownership • Coding standards Kanban has proven useful for teams – that struggle to decompose and fit work into single iterations (to make stories smaller) – teams that struggle with the definition of customer‐valued work (potentially shippable version after each sprint) A Coding Dojo • A Coding Dojo is a place where programmers come to improve their skills, by following a pattern similar to the martial arts dojo. • Participants meet for at a pre‐arranged time in a room that has one computer attached to a screen. • A programming challenge is posed for each session. • There are a couple of ways this is done that will be discussed later. • During the session, the group spends a pre‐set amount of time developing a solution to the challenge. • At the end of the session the code is discarded (often it is archived for future reference and study). • The amount of time spent on the problem is fixed. • Regardless of the state of the solution, when the time expires, the session is done. Code Katas • Kata (Japanese for form or pattern) are an exercise where the novice repeatedly tries to emulate a master. • In karate, these kata are a sequence of basic moves (kicks, blocks, punches, and so on), strung together in a way that makes sense. • You’ll never be attacked in such a way that you could repeat a kata to defend yourself: that isn’t the idea. • Instead the idea is to practice the feel and to internalize the moves. – (Interestingly, kata are not just used in the martial arts. Calligraphers also learn using kata, copying their masters’ brush strokes.) Kumite • Once you get some way into your training, you start kumite, or sparring. • Kumite is a supervised exercise between two students, or between a student and a master. • Here they learn to assemble the basic moves into coherent sequences, combining offensive and defensive elements into something that works. • While kata could be considered static, repeating the same sequence over and over, kumite is dynamic. Koans are questions without absolute answers which are used to break down assumptions and reveal underlying truths. A secure product is one that protects the confidentiality, integrity, and availability of the customers’ information, and the integrity and availability of processing resources under control of the system’s owner or administrator. Software security—the process of designing, building, and testing software for security. The Software Assurance Maturity Model is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. Agile secure programming Customer focused Responsive Iterative Trustworthy Domains of IT The four Ps of Strategy • perspective: the distinctive vision and direction • position: the basis on which the provider will compete • plan: how the provider will achieve their vision • pattern: the fundamental way of doing things – distinctive patterns in decisions and actions over time Benefits of ITSM • Aligns IT with the business needs • Moves from a technology to service based culture • More ability to absorb rapid change • Improves quality of IT services • IT perceived as offering value to the organisation • Ensures everyone speaks the same language Incident Management Incident management seeks to restore client service as soon as possible while minimizing any negative effect on his/her work Description – End users (the customers of the IT department) need a clearly defined point of contact. Incident management’s center of attention is the restoration of the agreed service level in a speedy and uniform manner. • Goal –Swift restoration of normal service operation (normal, as defined within SLA limits) and minimal impact on business processes. Problem Management • Description – problem management is focused on preventive measures and the identification of the root cause of incidents. • Goal – An efficient and timely solution for problems is based on the definition of clear priorities. Configuration Management Account for and document all the IT organization assets and configurations to support all the other Service Management processes Description – management of the configuration is essential to tap the full potential of an application system. Configuration management is responsible for providing the information necessary for planning and monitoring of the resources. • Goal – There is no single goal of the configuration management process, rather there are multiple goals: – Account for IT assets and configurations. – Verify the configuration records and correct exceptions. – Provide accurate information on configurations and the referring documentation as well as a sound basis for other processes (incident, problem, change and release management). Change Management The objective of change management is to carry out changes economically and in a timely manner with minimal risk Description – Even though services evolve constantly, the quality of services delivered to core business processes may not be disrupted. Reliable change management treats planning and supervising of changes to the existing infrastructure thus minimizes the risk of damage to existing and new application systems, infrastructure and services. • Goal – Changes are implemented within the agreed time and minimal risk. Release Management Successful planning and control of hardware and software installations Description – Assurance that only tested and approved applications are rolled out is becoming more and more important, as different operating systems, different locations and an increased frequency of patches complete the release management. • Goal – Approved and accredited components (hardware, software, firmware as well as documents) are installed trouble-free and on schedule. Service Level Management • Description – With a sound service level management, clear interfaces and specification of services are defined with customers (senior management). Users and internal as well as external suppliers are defined and managed. Internal operational level agreements and contracts with external suppliers facilitate adherence to negotiated service level agreements. • Goal – The goal is to ensure the compliance of the services delivered with the level of services demanded and agreed upon. Service Level Management Tasks • Negotiate and modify service level requirements with business and clients • Monitor and report on the actual service level • Plan and implement continuous improvements in services and service levels • Prepare and maintain a service catalogue Service Level Management Benefits • The required level of service is unambiguous, consistent and measurable • There is an appropriate balance between service costs and desired service levels • Customer productivity is enhanced by the provision of improved services • Objective proof of the service quality delivered helps prevent differences of opinion • The number and ramifications of unplanned requirements are reduced Service Level Management Key Performance Indicators • Extent of coverage of the IT services • Number of deviations from the agreed service levels • Customer satisfaction • Availability of the services Financial Management for IT Services • Description – Management of expenses and accurate redistribution of costs improve the availability of financial resources. • Goal – Finance-related information is provided to establish costoriented steering of the organization. Capacity Management • Description – Proactive identification of performance requirements ensures a continuous level of service and a proper management of resources. A sound management of capacity considers three levels: – Business capacity – Service capacity – Resource capacity • Goal – Providing the appropriate capacity ensures the delivery of the service at an agreed level. Capacity Management Key Performance Indicators • Workload of IT services • Reserves • Number of bottlenecks • Capacity utilization rate of staff and systems • Costs: economic use of resources • Ability to meet deadlines when providing Resources IT Service Continuity Management • Description – By minimizing negative effects caused by disastrous and unpredictable events, disruption of the core business processes is to be minimized. • Goal – The goal is to provide a predetermined and agreed level of services in case of a disastrous event. Service Continuity Management Tasks • Carry out risk analyses as part of business continuity management • Prepare recovery plans for IT services and necessary investments in order to implement them • Test and verify plans to be able to restore the services in an emergency in the time required, safely and in a controlled way • Keep the recovery plans up to date Service Continuity Management Benefits • Restrictions to daily business and loss of data in the event of a disaster are reduced • By implementing preventative measures, the number of failures is reduced to a minimum Service Continuity Management Key Performance Indicators • Business continuity service level (time delay and data loss in case of a catastrophic event) • Investment and maintenance costs of the IT recovery solution • Test successes (technology, business cases, and current status of data) • Process costs Availability Management • Description – Continuous monitoring and improvement of the availability of systems minimizes outages and thus improves the availability of services. • Goal – The goal is to ensure the consistent availability of IT services as required by the business processes. Availability Management Tasks • Determine availability requirements • Prepare availability forecasts • Prepare an availability plan • Determine the actual availability • Prepare reports • Improve the agreed availability Availability Management Benefits • IT services are designed and controlled so that contracted availability is achieved • Service quality improves and cost reduces • Fewer problems • Less maintenance and down time • More detailed information is available for service level negotiations Availability Management Key Performance Indicators • Productive time lost by customers • Income lost • Materials consumed • Client satisfaction Security Management Definition Protect data and infrastructures so that • confidentiality is appropriately preserved • integrity of information is ensured • availability is ensured • conducting a transaction is not denied • obligations imposed by law, contractual arrangements and supervisory bodies can be fulfilled Security Management Tasks • Develop security plan, guidelines and policies • Manage roles & responsibilities • Prepare confidentiality agreements for personnel • Promote increased security awareness Security Management Benefits • Increased security for data, systems and applications • Prevention of data loss • Ensured data integrity • Guarantee of data confidentiality • Compliance with statutory obligations concerning data protection • Increased client confidence • Increased awareness of employees about security Issues Security Management Key Performance Indicators • Internal and external security audits • Number of intrusions detected, firewall attacks, virus attacks etc. • Damage that occurs during security intrusions • Process costs Comparison of ITIL to BS15000 ITIL – Provides framework for best practice – Can assess maturity – Flexible and adaptable BS 15000 – Normative reference – Internationally recognised certification – Prescriptive – Cannot assess maturity – Only pass or fail Types of Disasters What is BCM? (cont.) • Elements include – Principles of Risk Management – Design and implementation of Crisis Management and Emergency Operations Programs – Planning for recovery and continued availability of operations during disruptive events – Designing and implementing business process manual procedures for use during a disruption – Designing and implementing secure, fail-proof (faulttolerant) systems for continuous availability – Designing and implementing threat prevention and detection systems – Encompasses development of procedures, acquisition of resources, testing, and maintenance Business Continuity Management Life Cycle Risk Assessment General risk: – Natural Events - risk driven by natural or act of God – Technological Events - risk driven by technology, broadly defined – Human Events - event driven by acts of specific individuals both internal and external to the organization Business Impact Analysis Governance Availability/Recovery Strategies BCM Plans & Documentation Resource Acquisition & Implementation Training & Awareness Testing Continuous Improvement/QA Incident Response Life Cycle 1. Preparation (malware-specific incident handling policies and procedures, malwareoriented training and exercises) 2. Detection and Analysis (Early detection can help the organization minimize the number of infected systems) 3. Containment (stopping the spread of the malware and preventing further damage to systems), Eradication (remove malware from infected systems), and Recovery (restoring the functionality and data of infected systems and removing temporary containment measures) 4. Post-Incident Activity (Software Reconfiguration, Malware Detection Software Deployment, Awareness Program Changes, Security Policy Changes). CIP Goals CIP Roles Government “What’s the goal”Levels Infrastructure “Prioritize Risks” Public-Private Partnership “What’s critical” Operators “Best control solutions” Establish and Exercise Emergency plans • Public and private sector organizations can benefit from developing joint plans for managing emergencies – including recovering critical functions in the event of significant incidents, including but limited to natural disasters, terrorist attacks, technological failures or accidents. • Emergency response plans can mitigate damage and promote resiliency. • Effective emergency response plans are generally short and highly actionable so they can be readily tested, evaluated, and implemented. • Testing and exercising emergency plans promotes trust, understanding and greater operational coordination among public and private sector organizations. • Exercises also provide an important opportunity to identify new risk factors that can be addressed in response plans or controlled through regular risk management functions. The Security Development Lifecycle Product Inception Assign security advisor Identify security milestones Plan security integration into product Design Define security architecture and design guidelines Document elements of software attack surface Threat Modeling Standards, best practices, and tools Apply coding and testing standards Apply security tools (fuzzing tools, staticanalysis tools, etc) Security Push Security code reviews Focused security testing Review against new threats Meet signoff criteria Final Security Review Independent review conducted by the security team Penetration testing Archiving of compliance info RTM and Deployment Signoff Security Response Plan and process in place Feedback loop back into the development process CIP and CIIP Industry Capabilities Government Capabilities Computer Security Incident Response Teams (CSIRT) A CSIRT is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity. • Its services are usually performed for a defined constituency that could be a parent entity such – as a corporation, – government, or educational organization; – a region or country; – a research network; or – a paid client. A CSIRT may also perform a proactive role. This may include – providing security awareness training, – security consulting, – Configuration maintenance, and – producing technical documents and advisories. The goals of a CSIRT must be based on the business goals of the constituent or parent organizations. • Protecting critical assets is key to the success of both an organization and its CSIRT. • The goal of a CSIRT, in this context, is to minimize and control the damage, provide effective response and recovery, and work to prevent future events from happening. • In this role the CSIRT collects incident information, security weaknesses, and software and system vulnerabilities in the organizational infrastructure or – within a constituency. In a commercial, military, educational, or government setting, the CSIRT becomes a focal point for business intelligence within the organization and a primary source of authentic risk data. • This information can provide an important data feed into operational risk modeling. • The CSIRT can be seen as a key element in loss minimization and risk mitigation. • In this same manner, the CSIRT’s role as a central repository allows it to gather an enterprisewide picture of security issues as it relates across the organization. • This also allows the CSIRT to link together events that may not have been seen to be related when looked at – individually. Types of CSIRTs CSIRTs come in all shapes and sizes and serve diverse constituencies. – Some CSIRTs, such as the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC), support an entire country. – Other CSIRTS may provide support to a particular university such as Oxford, – a commercial organization such as Boeing or SUN Microsystems, or – a particular domain or IP range such as the Telia CERT Coordination Centre (TeliaCERTCC). • There are also corporate teams and organizations that provide CSIRT services to clients for a fee, such as – IBM Managed Security Services (IBM-MSS) or – – the debis Computer Emergency Response Team (dCERT). Categories of CSIRTs Internal CSIRTs provide incident handling services to their parent organization, which could be a bank, a university, or a federal agency. • Coordination centers coordinate and facilitate the handling of incidents across various CSIRTs, or for a particular country, state, research network, or other such entity. • Usually coordination centers will have a broad scope and a diverse constituency. • Analysis centers focus on synthesizing data from various sources to determine trends and patterns in incident activity. This information can then be used to help predict future activity or provide early warning when current activity matches a set of previously determined characteristics. Vendor teams located in software or hardware companies and handle reports concerning vulnerabilities in their products. • They analyze the vulnerabilities, develop patches or workarounds, and disseminate this information to their clientele or to the broader public. – They work with other CSIRTs, security experts, and researchers to track and respond to these vulnerabilities. • Incident response providers provide incident handling services as a product to other organizations. • They are sometimes referred to as managed security service providers (MSSPs). FIRST Goals were to share information among CSIRTs and, if needed, to aid one another during incidents and network-wide attacks. • The CSIRT community is still pursuing these goals today. • Teams working in various collaborations are looking for the most effective way to establish a coordination network. • In November 1990 IT WAS DECIDED to establish a forum for CSIRTs and security teams, which is now the Forum of Incident Response and Security Teams (FIRST). FIRST is primarily a network of registered members, either CSIRTs or security teams. • The members work together voluntarily and concentrate on the – prevention of incidents, – sharing of information, – sharing of vulnerability and artifact analysis, and – coordination of response activities, where appropriate, when an incident occurs. IT Governance The processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives Compliance is the assessment of work products and processes against standards. enable the strategic and tactical alignment of IT · understand the value and impact of IT investments (dollars, human resources, and capital) identify opportunities for improved IT utilization support visible and transparent decision making establish and sustain effective IT policies establish performance measurements identify and mitigate risks satisfy regulatory and formal compliance requirements IT Governance Framework Linking Business Goals and IT Processes IT Governance Process IT Governance Life Cycle Goals for IT Governance (1) assure that the investments in IT generate business value, and (2) mitigate the risks that are associated with IT. IT Governance Focus Areas of IT Governance Strategic alignment, with focus on aligning with the business and collaborative solutions – Value delivery, concentrating on optimizing expenses and proving the value of IT – Risk management, addressing the safeguarding of IT assets, disaster recovery and continuity of operations – Resource management, optimizing knowledge and IT infrastructure • None of these factors can be managed appropriately without: – Performance measurement, tracking project delivery and monitoring IT services IT Strategic Alignment IT Risk Management The board should manage enterprise risk by: Ascertaining that there is transparency about the significant risks to the organization Being aware that the final responsibility for risk management rests with the board Being conscious that risk mitigation can generate cost-efficiencies Considering that a proactive risk management approach creates competitive advantage Insisting that risk management is embedded in the operation of the enterprise IT BSC Measures Governance Enablers Governance enablers are the organisational resources for governance, such as frameworks, principles, structure, processes and practices, toward which or through which action is directed and objectives can be attained. • Enablers also include the enterprise’s resources, e.g., service capabilities (IT infrastructure, applications, etc.), people and information. Given the importance of governance enablers, COBIT 5 includes a single way of looking at and dealing with enablers. Governance Scope Governance can be applied to the whole enterprise, an entity, a tangible or intangible asset, etc. • That is, it is possible to define different views of the enterprise to which governance is applied, and it is essential to define this scope of the governance system well. Goal of IT Value Governance Framework The goal of the IT Value Governance Framework initiative is to help management ensure that organizations realize optimal value from IT-enabled business investments at an affordable cost with a known and acceptable level of risk. • IT Value Governance Framework provides guidelines, processes and supporting practices to assist the board and executive management in understanding and carrying out their roles related to such investments. • Value Governance (VG) Practices • Portfolio Management (PM) Practices • Investment Management (IM) Practices IT Risk Governance Enterprises are dependent on automation and integration • Need to cross IT silos of risk management • Important to integrate with existing levels of risk management practices Risk IT’s Three Domains COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal control and corporate governance. COSO identifies five essential components of effective internal control. They are: – Control environment – Risk assessment – Control activities – Information and communication – Monitoring While the importance of IT controls is embedded in the COSO internal control framework, IT management requires specific examples to help identify, document and evaluate IT controls. • The COSO framework has been rapidly adopted by financial auditors as a means implanting controls for the financial reporting process. SOX Strategy Strategy is simply how to deploy your resources to generate maximum value for stakeholders. • Where dayto-day operations is about doing things right, strategy is about doing the right things. 8 • Strategy sets the potential value that an enterprise can deliver and, as such, is a key activity. • However, in most enterprises and IS organizations, strategy processes are weaker, less well-defined and less wellexecuted than operations processes. Effective IT Strategy IT organizations and their teams struggle with developing an effective IT strategy. • They generally are confused about how the IT strategy fits with the business 9 strategy and how to ensure that the strategy that is created can endure over time. • Strategy is the bridge between policy or high-order goals on the one hand and tactics or concrete actions on the other. • Strategy is a term that refers to a complex web of thoughts, ideas, insights, experiences, goals, expertise, memories, perceptions, and expectations that provides general guidance for specific actions in pursuit of particular ends. • Strategy is at once the course we chart, the journey we imagine and, at the same time, it is the course we steer, the trip we actually make. “Mission statements" and "core values" • “Mission statements" and "core values" are not included. • The “strategy definition” framework is about action — what to do. • Mission statements and core values are about 24 how employees and their leaders should behave while taking those actions. • They add style to a strategy, not substance. Because these statements and values could exist without a strategy or in support of a strategy, they should not be misconstrued as a strategy definition by themselves. Vision Vision is a short, succinct, and inspiring statement of what the organization intends to become and to achieve at some point in the future, often stated in competitive terms. • Vision refers to the category of intentions that are broad, all-intrusive and forward-thinking. • It is the image that a business must have of its goals before it sets out to reach them. • It describes aspirations for the future, without specifying the means that will be used to achieve those desired ends. Mission Statement mission statement is an organization's vision translated into written form. • It makes concrete the leader's view of the direction and purpose of the organization. • For many corporate leaders it is a vital element in any attempt to motivate employees and to give them a sense of priorities. Strategic Intent • A strategic intent is a company's vision of what it wants to achieve in the long term. • It must convey a significant stretch for your company, a sense of direction, discovery, and opportunity that can be communicated as worthwhile to all employees. • It should not focus so much on today's problems but rather on tomorrow's opportunities Core Values • Core values are the organization’s essential and enduring tenets— a small set of timeless guiding principles that require no external justification; • They have intrinsic value and importance to those inside the organization. Strategy Process Preparation >> Planning >> Communication >> Realization Strategic planning 1. Selection of the corporate mission and major corporate goals; 2. Analysis of the organization’s external competitive environment to identify opportunities and threats; 3. Analysis of the organization’s internal operating 42 environment to identify the organization’s strengths and weaknesses; 4. Selection of strategies that build on the organization’s strengths and correct its weaknesses in order to take advantage of external opportunities and counter external threats (SWOT); 5. Strategy implementation. SWOT Analysis The SWOT analysis – (strengths, – weaknesses, – opportunities, and – threats) examines the company’s internal strengths and 45 weaknesses with respect to the environment and the competition and looks at external opportunities and threats. • Opportunities may help to define a target market or identify new product opportunities, while threats are areas of exposure. • A SWOT analysis should be to build on a company’s strengths in order to exploit opportunities, counter threats, and correct weaknesses. Strengths - Think about what your company does well. Some questions to help you get started are: What makes you stand out from your competitors? What advantages do you have over other businesses? • Weaknesses - List the areas that are a struggle for your company. Some questions to help you get started are: What do your customers complain about? What are the unmet needs of your sales force? 46 • Opportunities - Traditionally, a SWOT looks only at the external environment for opportunities. I suggest you look externally for areas your competitors are not fully covering, then go a step further and think how to match these to your internal strengths. • Threats - As with opportunities, threats in a traditional SWOT analysis are considered an external force. By looking both inside and outside of your company for things that could damage your business, however, you may be better able to see the big picture. Internal Analysis Factors should be evaluated across the organization in areas such as: • Company culture • Company image • Organizational structure • Key staff • Access to natural resources • The SWOT analysis summarizes the internal factors of the firm as a list of strengths and weaknesses. • Position on the experience curve • Operational efficiency • Operational capacity • Brand awareness • Market share • Financial resources • Exclusive contracts • Patents and trade secrets External Analysis • An opportunity is the chance to introduce a new product or service that can generate superior returns. • Opportunities can arise when changes occur in the external environment. • Many of these changes can be perceived as threats to the market position of existing products and may necessitate a change in product specifications or the development of new products in order for the firm to remain competitive. Changes in the external environment may be related to: • Customers • Competitors • Market trends • Suppliers • Partners • Social changes • New technology • Economic environment • Political and regulatory The SWOT analysis summarizes the external environmental factors as a list of opportunities and threats. BSC is a Top-down Methodology The BSC is a top-down methodology that examines organizations from – internal and external, – financial and non-financial, and – short- and long-term perspectives. • The philosophy of the BSC is that organizations are more effective when guided and aligned by their mission and vision and 68 when focused on multiple perspectives. • A good balanced scorecard is a mirror of an organization’s strategy. • The performance measures translate the strategy into action. • The term “balance” comes from an examination of multiple perspectives instead of a single financial perspective. • It is not “balanced” in a mathematical sense where perspectives are assigned weights to calculate a final score. Strategy Implementation: Supporting Factors • Action Planning (chronological lists of action steps) • Organization Structure • Human Resources • The Annual Business Plan • Monitoring and Control • Linkage Cyber Security Standards Cyber security standards are security standards which enable organizations to practice safe security techniques in order to minimize the number of successful cyber security attacks. • These guides provide general outlines as well as specific techniques for implementing cyber security. • For certain specific standards, cyber security certification by an accredited body can be obtained. • There are many advantages to obtaining certification including the ability to get cyber security insurance. ISO/IEC 27000-series • ISO/IEC 27001 - the certification standard against which organizations' ISMS may be certified (published in 2005) • ISO/IEC 27002 - the re-naming of existing standard ISO 17799 The outline is a high level guide to cyber security. • It is most beneficial for an organization to obtain a certification in order to be recognized as compliant with the standard. Information Security Policy – Organization of information security – Asset Management – Information security incident management – Business continuity management – Compliance – Human resource security – Physical and environmental security – Communication and operations management – Access control – Information systems acquisition, development and maintenance ISO/IEC 27006 - a guide to the certification/registration process (published in 2007) Plan-Do-Check-Act Plan - Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives. Do - Implement and operate the ISMS policy, controls, processes and procedures. Check - Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review. Act - Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS. NIST 800-12 • Special publication 800-12 provides a broad overview of computer security and control areas. • It also emphasizes the importance of the security controls and ways to implement them. • Initially this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. • Specifically it was written for those people in the federal government responsible for handling sensitive systems. Process Maturity IT Service Continuity Management Typically the following situations are frequently found in organisations: • An historical lack of investment in developing recovery capability. • Lack of understanding by senior management and the IT department on the ‘gap’ between recovery requirements and recovery capability. • New projects and change management processes do not incorporate ITSC requirements. • The extent of ITSC testing and technical recovery documentation is limited at best. • Lack of synergy between ITSC and business continuity Policies and Procedures • Trust Models • Security Policy Basics • Policy Design Process • Key Security Policies • Key Security Procedures Security Policies • Without security policies, you have no general security framework. • Policies define what behavior is and is not allowed. • Policies will often set the stage in terms of what tools and procedures are needed for the organization. • Policies communicate consensus among a group of “governing” people. Trust Models Trust everyone all of the time – easiest to enforce, but impractical – one bad apple can ruin the whole barrel • Trust no one at no time – most restrictive, but also impractical – impossible to find employees to work under such conditions • Trust some people some of the time – exercise caution in amount of trust placed in employees – access is given out as needed – technical controls are needed to ensure trust is not violated Policies People view policies as: – an impediment to productivity – measures to control behavior • People have different views about the need for security controls. • People fear policies will be difficult to follow and implement. • Policies affect everyone within the organization – most people resist measures which impede productivity – some people strongly resist change – some people strongly resist the “big brother syndrome” – some people just like to “rock the boat” • Policies must: – be implementable and enforceable – be concise and easy to understand – balance protection with productivity – be updated regularly to reflect the evolution of the organization • Policies should: – state reasons why policy is needed – describe what is covered by the policies - whom, what, and where – define contacts and responsibilities to outside agencies – discuss how violations will be handled Determining Level of Control • Security needs and culture play major role. • Security policies MUST balance level of control with level of productivity. • If policies are too restrictive, people will find ways to circumvent controls. • Technical controls are not always possible. • Must have management commitment on level of control. Security Procedures • Policies only define "what" is to be protected. Procedures define "how" to protect resources and are the mechanisms to enforce policy. • Procedures define detailed actions to take for specific incidents. • Procedures provide a quick reference in times of crisis. • Procedures help eliminate the problem of a single point of failure (e.g., an employee suddenly leaves or is unavailable in a time of crisis). IT Auditing Assesses the controls in use on Information Technology assets • Should include hardware, software, and network infrastructure components • Reports on an organization's information systems, practices, and operations Internal Controls • Auditing emphasizes the evaluation of internal controls • Financial internal controls prevent fraud or misrepresentation • A financial audit provides outside interests with a report of the adequate level of controls maintained by an organization House of IT Controls Enterprise Level Controls • Planning • Operating style • Policies • Codes of Conduct • Fraud Prevention General IT Controls • Maintenance • Disaster Recovery • Security • Data Management • Incident Response Application Controls • Embedded Controls • Access • Authorizations • Approvals • Tolerance Levels • Reconciliations • Edits IT General Controls – Program development – Program changes – Computer operations – Access to programs and data Audit Reporting • In the financial realm, the audit report is typically known as an Opinion and written as an open memo or letter • The Opinion offers the auditor’s evaluation and validity of observed controls, including any remediation suggested to enhance controls considered lacking General IT Audit covers: – Hardware, Operating Systems, Network Infrastructure, security • Application Audits: – Review controls associated with thirdparty (COTS) and custom, in-house developed software – Database applications Understanding IT Controls IT control is a process that provides assurance for information and information services, and helps to mitigate risks associated with use of technology. Hierarchy of Audit Activity Importance of IT Controls Needs for IT controls, such as – controlling cost – remaining competitive – protecting of information assets – complying with laws and regulation • Implementing effective IT control will improve efficiency, reliability, flexibility and availability of assurance evidence Types of IT Audits Systems and Applications Relevancy – verifies the IT system in place is appropriate across the IT concerns of the organization • Business Continuity – assesses ability to operate in disruptive periods • Systems Development – assures development of software meets internal and generally accepted practices of software development IT Management Architecture – reviews IT management practices and processes • Network Infrastructure – reviews controls in place throughout the networked environment, including security of systems, devices, and connectivity Elements of an IT Audit • Planning • Fieldwork and Documentation • Issue Discovery and Validation • Solution Development • Report Drafting and Issuance • Issue Tracking and Post-Audit Follow-up Internal versus External Auditing In an internal audit a company’s own accounting employees perform the audit. • Accountants working for an independent firm normally perform the external audit. • The chief function of the external audit is the attest function. Information Systems (IS) Auditing Information systems auditing involves evaluating the computer’s role in achieving audit and control objectives. • The components of a computer-based IS are – people, – procedures, – hardware, – data communications, – software and – databases. • These components are a system of interacting elements.