Professional Documents
Culture Documents
IT Governance
Information Security
Governance
Acknowledgments
Material is sourced from:
CISA® Review Manual 2009, © 2008, ISACA. All rights reserved.
Used by permission.
CISM® Review Manual 2009, © 2008, ISACA. All rights reserved.
Used by permission.
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Reviewers/Contributors: Todd Burri
Processes include:
Equip IS functionality and address risk
Measure performance of delivering value to the
business
Comply with legal and regulatory requirements
IT Governance Committees
IT Strategic Committee
Focuses on Direction and Strategy
Advises board on IT strategy and alignment
Board members
& specialists
Optimization of IT costs and risk
IT Steering Committee
Focuses on Implementation
Business executives Monitors current projects
(IT users), CIO, key Decides IT spending
advisors (IT, legal, audit,
finance)
IT Strategy Committee
Main Concerns
Alignment of IT with Business
Contribution of IT to the Business
Exposure & containment of IT risk
Optimization of IT costs
Achievement of strategic IT objectives
IT Steering Committee
Main Concerns
Make decision of IT being centralized vs.
decentralized, and assignment of responsibility
Makes recommendations for strategic plans
Approves IT architecture
Review and approves IT plans, budgets,
priorities & milestones
Monitors major project plans and delivery
performance
Strategic Planning Process
Strategic: Long-term (3-5
year) direction considers
organizational goals,
regulation (and for IT: Strategic
technical advances)
Tactical: 1-year plan moves Tactical
organization to strategic
goal
Operational: Detailed or Operational
technical plans
Security Strategic Planning
Systems Model
Tech Model
Detailed
Representation
Sourcing Practices
Insourced: Performed entirely by the organization’s staff
Outsourced: Performed entirely by a vendor’s staff
Hybrid: Partial insourced and outsourced
Onsite: Performed at IS dept site
Offsite or Nearshore: Performed in same geographical
area
Offshore: Performed in a different geographical region
Governance
Policy
Risk
Information Security Importance
Organizations are dependent upon and are
driven by information
Software = information on how to process
Data, graphics retained in files
Information & computer crime has escalated
Therefore information security must be
addressed and supported at highest levels
of the organization
Security Governance
Strategic Alignment: Security solution consistent with
organization goals and culture
Risk Management: Understand threats and cost-effectively
control risk
Value Delivery: Prioritized and delivered for greatest business
benefit
Performance Measurement: Metrics, independent assurance
Resource Management: Security architecture development &
documentation
Process Integration: Security is integrated into a well-
functioning organization
Security Manager Interfaces
Directs & Approves
Executive
Cooperation Mgmt
Audit & Helps in Control
Compliance IT implementation
Hiring, Security
Human Security S/W requirements
training, Resources Mgr Develop. Access control
roles &
responsibility,
Incident
handling Quality Secure
Legal
Control testing
Business
Units
Advises
Specific area of expertise,
concern, and responsibility
Executive Mgmt Info Security
Concerns
Reduce civil and legal liability related to privacy
Provide policy and standards leadership
Control risk to acceptable levels
Optimize limited security resources
Base decisions on accurate information
Allocate responsibility for safeguarding information
Increase trust and improve reputation outside
organization
Personnel Issues
Background checks can reduce fraud
More secure position=more checking required
A standard or procedure may be useful
Training & signed contracts
Track and document theft
Minor incidents could add up to a major pattern
problem
Email can be monitored for potential problem
employees
Assuming policy is in place and employees are aware
Legal Issues
International trade, Industry may be liable under
employment may be legislation:
liable to different SOX: Sarbanes-Oxley:
regulations than exist in Publicly traded corp.
the U.S. affecting: FISMA: Federal Info
Hiring Security Mgmt Act
Internet business HIPAA: Health Insurance
Trans-border data flows Portability and
Cryptography
Accountability Act
GLBA: Gramm-Leach-
Copyright, patents, trade
Bliley: Financial privacy
secrets Etc.
Security Governance Framework
Security
Strategy
Policies,
Security Security
Standards,
Organization Framework
Procedures
Compliance
Monitoring
Security Organization
Review risk assessment & Business Impact Analysis
Define penalties for non-compliance of policies
Board of Directors
Defines security objectives and
institutes security organization
Executive Mgmt
Senior representatives Other positions:
of business functions Chief Risk Officer (CRO)
ensures alignment Chief Compliance Officer (CCO)
of security program
with business Security Chief Info
objectives Steering Security
Committee Officer (CISO)
Security Positions
Security Architect Security Administrator
Design secure network Allocate access to data
Example 1:
Policy: Computer systems are not exposed to illegal, inappropriate, or
dangerous software
Policy Control Standard: Allowed software is defined.
Policy Control Procedure: A description of how to load a computer with
required software.
Example 2:
Policy: Access to confidential information is controlled
Policy Control Standard: Confidential information is never to be emailed
without being encrypted
Discussion: Are these effective controls by themselves?
Other Policy Documents
Data Classification: Defines data security categories,
ownership and accountability
Acceptable Usage Policy: Describes permissible
usage of IT equipment/resources
End-User Computing Policy: Defines usage and
parameters of desktop tools
Access Control Policies: Defines how access
permission is defined and allocated
After policy documents are created, they must be
officially reviewed, updated, disseminated, and tested
for compliance
Secure Strategy:
Risk Assessment
Five Steps include:
1. Assign Values to Assets:
Where are the Crown Jewels?
2. Determine Loss due to Threats & Vulnerabilities
Confidentiality, Integrity, Availability
Loss = Downtime + Recovery + Liability + Replacement
3. Estimate Likelihood of Exploitation
Weekly, monthly, 1 year, 10 years?
4. Compute Expected Loss
Risk Exposure = ProbabilityOfVulnerability * $Loss
5. Treat Risk
Survey & Select New Controls
Reduce, Transfer, Avoid or Accept Risk
Risk Analysis Methods
Qualitative Analysis
Likelihood is categorized: Low, Medium, High
SemiQuantitative Analysis
Likelihood is categorized in scale: 1-10
Quantitative Analysis
Likelihood is based on historical data, past
experience, industry practice, tests, statistical theory
Quantitative Analysis is the preferred method
Risk Strategies
Avoid: Minimize dangerous activities
Do not open any attachments or follow links
Mitigate: Lessen the probability of danger
Open attachments only from within company
Buy anti-virus software, firewall, anti-spyware…
Transfer: Buy insurance
Accept: Monitor for danger but continue on
dangerous path
Open those attachments