Security Audit & Compliance

Subject overview

Security Audit & Compliance

Peter Cruickshank

• Scope and context

• What do we mean by security

• Topics we will cover

Overview

• The aim is to let you see the scope

• And to get you familiar with the concepts and issues

2 SAC

Stereotype 1

3 SAC

Stereotype 2

4 SAC

The aim of this course

Mutual understanding

Mutual understanding

Techies Techies Managers Managers

5 SAC

THE SCOPE OF THE

INFORMATION SYSTEM

6 SAC

Six components of an information system

7 SAC

Procedures People

Data Applications

Networks

Hardware

?

Another view:

8 SAC

Computing system

Computing system

Computing environment Computing

environment

Application environment Application

environment

Socio-economic

environment

Socio-economic

environment

IS in context: Application Environment

• Growing business dependence on IS/IT

• Development of general purpose rather than dedicated applications – Build using common toolsets.

– Less variety in structure & design

• Large scale integration of data sets

• Computer to computer transactions

• Autonomous trading systems

9 SAC

IS in context: Computing Environment

• Growth in the power and availability of technology

• Rapid spread of data communications networks

• Development of powerful databases and search engines

• High degree of component commonality

10 SAC

IS in context: Socio-economic-legal

• Increasing computer fraud

• Concerns about privacy

• Greater public knowledge of computing

• Rising globalisation of trade

• Introduction of specific laws to control the use of IT

• Public policy v personal preference?

11 SAC

The scope of this course:

(Business) Computer and Information Systems The scope of this course:

(Business) Computer and Information Systems

• That is: we’re taking the viewpoint of an organisation and its

management

– Could be government, public sector or NGO

• Issues around consumers or individual citizen rights are not central

to what we cover

• …nor is the role of ‘national security’ in setting the computer

environment

…though these are interesting and important in their own right

12 SAC

WHAT IS SECURITY

13 SAC

What is security?

Mordac the preventer of information

14 SAC

© Dilbert.com

What is security?

“ If we make security trade-offs based on the feeling of security rather than the reality,

we choose security that makes us feel more secure over security that actually

makes us more secure. And that’s what governments, companies, family members,

and everyone else provide. Of course, there are two ways to make people feel more

secure.

1. The first is to make people actually more secure, and hope they notice.

2. The second is to make people feel more secure without making them actually

more secure, and hope they don’t notice.

The key here is whether we notice. The feeling and reality of security tend to

converge when we take notice, and diverge when we don’t. People notice when 1)

there are enough positive and negative examples to draw a conclusion, and 2) there

isn’t too much emotion clouding the issue.

The feeling and the reality of security Schneier 2008

“ If we make security trade-offs based on the feeling of security rather than the reality,

we choose security that makes us feel more secure over security that actually

makes us more secure. And that’s what governments, companies, family members,

and everyone else provide. Of course, there are two ways to make people feel more

secure.

1. The first is to make people actually more secure, and hope they notice.

2. The second is to make people feel more secure without making them actually

more secure, and hope they don’t notice.

The key here is whether we notice. The feeling and reality of security tend to

converge when we take notice, and diverge when we don’t. People notice when 1)

there are enough positive and negative examples to draw a conclusion, and 2) there

isn’t too much emotion clouding the issue.

The feeling and the reality of security Schneier 2008

15 SAC

16 SAC

…Watch for Security theatre

that iS…

Security

• Complex passwords are secure

• Encryption protects assets

Access

• Complex passwords prevent access

• Encryption slows things down

17 SAC

The security balance

• Technology is not enough

• Controls often conflict with usability and business objectives

Risk

The security balance 2

18 SAC

Eff

ecti

ven

ess

Level of technical security

Too complex

to work

Optimum balance

Too risky

What is security?

Information security as…

• Security as an engineering discipline

• Subject to systems thinking Science Science

• When things get complicated, it gets to much to plan

• The security manager is left to judge the best way(s) forward

Art Art

• People interact with systems: users need to do things

• Behavioural aspects of organisations and change management

Social science Social

science

19 SAC

What is security?

Example of making a business secure

Schneier’s three steps

to improved security:

1. Enforce liabilities

2. Allow liabilities to be

transferred

3. Outsource security

“Network security is a business

problem, and the only way to fix it is to concentrate on the business issues…

I have a three-step program towards improving computer and network security. None of the steps has anything to do with the technology; they all have to do with businesses, economics, and people.”

Liability & Security

in Schneier (2008)

“Network security is a business

problem, and the only way to fix it is to concentrate on the business issues…

I have a three-step program towards improving computer and network security. None of the steps has anything to do with the technology; they all have to do with businesses, economics, and people.”

Liability & Security

in Schneier (2008)

20 SAC

Security in business: Concept map

Business

model

Raval & Fichadia 2007, Ch 1

Control &

Security

Manage-

ment

Structure

Process Inform-ation

Is comprised of

Warrant actions for

by

21 SAC

CORE TOPICS

Information Security Attributes

• Protecting privacy Confidentiality

• Protection from accidental or deliberate (malicious) modification Integrity

• …for legitimate users

• Prevention of DoS attacks etc Availability

• who are you – supports non-deniability Authentication

• what can you do? Authorization

• Effective auditing and logging is the key to non-repudiation Auditing

23 SAC

Business requirements in COBIT

• Relevant and pertinent

• Timely, correct, consistent Effectiveness

• Productive and economical Efficiency

• No unauthorised disclosure Confidentiality

• Protection from accidental or malicious modification

• Accurate, complete, valid Integrity

• …for legitimate users

• Prevention of DoS attacks etc Availability

• Appropriate information to support management decisions Reliability

24 SAC COBIT 4.1

Secure Computing

• A computing regime under which

information may be stored and

processed: – To defined standards of confidentiality, integrity

and availability.

– To an assessable level of assurance

Security is not a commodity

Security is a state of being!

Security is not a commodity

Security is a state of being!

26 SAC

RELATED TOPICS

27 SAC

Another theme

Governance Governance Risk

Management Risk

Management

Compliance Compliance

28 SAC

Governance frameworks

• From the state: Legal – Privacy Laws

– Property legislation – computers, IPR etc

• Sources of law – National

– European

– USA

• Standards – Security Criteria

– Published Standards

29 SAC

Ethics

• Computing poses a new environment for

ethical consideration

• Who decides the ethical aspects? – Computer Professionals

– Leaders of Commerce & Industry

– Computer Users

– Citizens

• What happens when different values collide?

30 SAC

Governance: Privacy

• Holding of data relating to people

• Aggregation of personal data – Data matching

– Marketing of data

– Universal Identifiers

• Enforcement of fair practice

• Need for a legal context – Local

– Global

• Interacts with individuals’ expression of their identity online 32 SAC

Governance: Fraud & Abuse

• Corrupting information

• Damage and disruption

• Threats to the person

• Theft of property and services

• Financial crime

33 SAC

Managing threats and vulnerabilities

Threat Threat

Potential event that can

adversely affect an

asset

Potential event that can

adversely affect an

asset

Attack Attack

A successful attack

exploits vulnerabilities

in your system

A successful attack

exploits vulnerabilities

in your system

Risk Risk

Likelihood and impact of

that threat occurring

Likelihood and impact of

that threat occurring

35 SAC

Security management

36 SAC

Implemented through Implemented through

Practices Procedures Guidelines

Standards Standards

Built on sound policy Carry the weight of policy

Policies Policies

Sanctioned by senior management

Incident response and business continuity

Impact Analysis

• Accept

• Mitigate

Impact Analysis

• Accept

• Mitigate

Response planning

• Detection

• Reaction

• Recovery

Response planning

• Detection

• Reaction

• Recovery

Disaster recovery planning

• Crisis management

• Operations recovery

Disaster recovery planning

• Crisis management

• Operations recovery

Business continuity planning

• Strategies

• Planning

• Management

Business continuity planning

• Strategies

• Planning

• Management

37 SAC

An extension of risk management

Whitman & Mattord p212

System design principles

• Authorisation – Rule driven controls

• Least Privilege – Need to Know principle

• Separation of duty – No individuals in complete control

• Redundancy – To allow graceful degradation

38 SAC

39 SAC

Controls

Controls

• Control activities are:

– actions, supported by policies and procedures that,

• when carried out properly and in a timely manner,

–manage or reduce risks.

40 SAC

Controls Prevent Controls

• Preventive controls attempt to

deter or prevent undesirable

events from occurring.

• They are proactive controls

that help to prevent a loss.

• Examples of preventive

controls are separation of

duties, proper authorization,

adequate documentation, and

physical control over assets.

Detect Controls

• Detective controls, on the other

hand, attempt to detect

undesirable acts.

• They provide evidence that a

loss has occurred but do not

prevent a loss from occurring.

• Examples of detective controls

are reviews, analyses,

variance analyses,

reconciliations, physical

inventories, and audits.

41 SAC

Controls

• Both types of controls are essential to an effective internal control

system.

• From a quality standpoint, preventive controls are essential because

they are proactive and emphasize quality.

• However, detective controls play a critical role providing evidence that

the preventive controls are functioning and preventing losses

42 SAC

Final thought

47 SAC

http://xkcd.com/936/