© 2003 ISACA Chapter 1 Information Security Governance 2003 CISM â„¢ Review Course

  • View
    214

  • Download
    0

Embed Size (px)

Text of © 2003 ISACA Chapter 1 Information Security Governance 2003 CISM â„¢ Review...

Information Systems Audit and Control AssociationTitle slide for Chapter 1
The instructor should explain to the students that the review course will cover the areas that CISM exam will address. However, the course is not meant to replace the candidate’s experience in the Information Security Management field. It would be difficult to become certified only by attending this course and reading the review guide as there is no substitute for practical experience.
2003 ISACA
8 Task Statements
*
The CISM candidate will be tested on their practical understanding of each of five information security management areas, which are further defined and detailed through task and knowledge statements. These specific task and knowledge statements are covered in the CISM Review Manual 2003 and in this course.
Note to Instructor:
Please emphasize to candidates that reading and understanding this material will not guarantee them success on the CISM examination. The CISM examination will require them to answer questions and to make judgments based on the information learned in this course and on their own professional experiences. As you go through this material try to add your own experiences, and/or ask class participants to do so. In addition, recommend that candidates refer to the numerous additional information references that appear throughout the CISM Review Manual 2003, especially in areas in which they may be unfamiliar.
In summary this area includes the following task statements:
Develop the information security strategy in support of business strategy and direction.
Obtain senior management commitment and support for information security throughout the enterprise.
Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities.
Establish reporting and communication channels that support information security governance activities.
Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise.
Establish and maintain information security policies that support business goals and objectives.
Ensure the development of procedures and guidelines that support information security policies.
Develop business case and enterprise value analysis that support information security program investments.
2003 ISACA
*
The CISM candidate must understand and evaluate the 8 tasks and 21 Knowledge Statements within this Information Security Governance Domain.
These tasks are covered in more detail in the slides that follow:
Objective
The objective of this job practice area is to focus on the need for a stable security governance program to be in place so all security strategies and processes can be planned, designed, implemented and maintained. Only with stable information security governance in place can an organization begin to address the threats to their survivability and profitability.
 References for additional information are provided in the CISM Review Manual 2003 to provide the candidate additional information on this topic. The candidate can find the information links there to:
- examples of cyber laws
- descriptions of the widely accepted ISO 17799
- descriptions of the widely accepted BS7799
- description of a compliance approach to security standards
- article on basing standards on economic impact to the organization
- examples of security guidelines from Australia
- link to ISACA’s COBIT page describing control objectives and guidance
- a publication on good information security practices.
Various references are provided throughout this course as well.
 
 
  
According to the CISM Certification
Board, this area will represent approximately 21% of the CISM examination
(approximately 42 questions)
*
This content area represents 21 percent of the CISM examination (approximately 42 questions)
2003 ISACA
Task 1
The alignment of the information security strategy and business strategy is supported in many standards including:
Information Systems Audit and Control Association, COBIT Organization for Economic Cooperation and Development (OECD) Security Guidelines
Institute of Chartered Accountants in England, Turnbull report
ISO/IEC 17799
BS 7799
The Information Security Forum’s Standard of Good Practice
*
Task 1: Develop the information security strategy in support of business strategy and direction.
 
It is evident that IT and business governance cannot be separated with guidance contained in documents such as:
·        Organization for Economic Cooperation and Development (OECD) Security Guidelines
·        Institute of Chartered Accountants in England, Turnbull report
·        ISO/IEC 17799
·        BS 7799
·        The Information Security Forum’s Standard of Good Practice
 
 
 
The information security manager should ensure that a security strategy is designed, developed, implemented and maintained. The security strategy often includes:
Business strategy linkages
*
A set of processes, methods, tools and techniques together constitute a security strategy. The security manager should ensure that technologies, products and services are in place for policy, architecture, authentication, authorization, administration and recovery. The security strategy also needs to consider how it will embed good security practices into every area of the business. Training and awareness are vital in the overall strategy as security is often weakest at the end-user stage. It is here, as well, that one will consider the need for the development of methods and processes that enable the policies and standards to be more easily followed and implemented.
Resources need to be assigned to track developments in these enabling technologies and the products they support. For example, privacy continues to be important and increasingly the focus of government regulation, making privacy compliance technologies an important enabling technology.
The information security manager must understand that security is not a step in the life cycle of systems or that security can be solved through technology. Rather, information security is an ongoing process that needs to be continuously managed.
 Additional information:
Ernst & Young, www.eyonline.com (Contains general security information.)
PricewaterhouseCoopers, www.pwcglobal.com/Extweb/service.nsf/docid/B0A2F4A55AED9E7E85256B10007E9B3D (Contains general security information.)
IBM, www-3.ibm.com/security (Contains general security information.)
2003 ISACA
Task 2
Senior management (board-level directors or equivalent) should have a high level of commitment to:
Achieving high standards of corporate governance
Treating information security as a critical business issue and creating a security-positive environment
Demonstrating to third parties that the organization deals with information security in a professional manner
Applying fundamental principles such as assuming ultimate responsibility for information security, implementing controls that are proportionate to risk and achieving individual accountability
Obtain senior management commitment and support for information security throughout the enterprise.
*
Task 2: Obtain senior management commitment and support for information security throughout the enterprise.
 
 
Senior management should have a high level of commitment to:
·        Achieving high standards of corporate governance
·        Treating information security as a critical business issue and creating a security-positive environment
·        Demonstrating to third parties that the organization deals with information security in a professional manner
·        Applying fundamental principles such as assuming ultimate responsibility for information security, implementing controls and achieving individual accountability
2003 ISACA
  
Providing high-level control  
*
 
·        Providing high-level control
 
 
 
Note to Instructor:
Senior management commitment is a very important point and should be stressed at this point. Ask if anyone has examples of how having this commitment has made their job easier, and the security program better. Conversely, discuss how not having this commitment has made the security program at their organization less comprehensive and effective.
2003 ISACA
 Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities.
Security governance activities should be defined in employee job descriptions
Roles and responsibilities should be clearly defined
Employee compensation is a tool that can be used to effect behavior
Job performance reviews should include security-related measurements
Information security manager should work with human resources to define and implement security-related policy changes
*
Task 3: Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities.
 
 
 
 
 
  Establish reporting and communication channels that support information security governance activities.
Information security manager should report to a senior person in the organization (e.g. CIO, CFO, COO, CEO)
Metrics should be established to measure the security program
Metrics should be regularly reported
Should report to senior group such as Board-level or security committee
Should also report some metrics to all employees to promote security awareness (eg. newsletters, intranet, formal classes)
Information security manager should also continue education through involvement in information security organizations
*
Task 4: Establish reporting and communication channels that support information security governance activities.
 
 
 
 
2003 ISACA
  Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise.
Information security manager needs to identify and assess those legal and regulatory issues affecting information security that apply to their organization
It is possible that different governing bodies may have conflicting regulations
Some sources of regulations can include but are not limited to:
COBIT
*
Task 5: Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise.
 
 
Sources for some of these regulations include but are not limited to:
·        ISO/IEC 17799
·        BS 7799
- (Continued on next slide)
Task 5 (continued)
Some sources of regulations can include but are not limited to (continued):
HIPAA 
Copyright and Patent laws, for each country that an organization performs business
Office of the Comptroller (OCC), Circular 235 and Thrift Bulletin 30. Security Statutes (Cover areas of computer fraud, abuse and misappropriation of computerized assets) for example, the Federal Computer Security Act.
Federal Financial Institutions Examination Council (FFIEC) guidelines, which replaced previously issued Banking Circulars BC-177, BC-226, etc.
COSO
*
Continued from previous slide:
Sources for some of these regulations include but are not limited to:
·        HIPAA
·        Copyright and Patent laws, for each country that an organization performs business
·        Office of the Comptroller (OCC), Circular 235 and Thrift Bulletin 30. Security Statutes (Cover areas of computer fraud, abuse and misappropriation of computerized assets) for example, the Federal Computer Security Act.
·        Federal Financial Institutions Examination Council (FFIEC) guidelines, which replaced previously issued Banking Circulars BC-177, BC-226, etc.
·        COBIT
·        COSO
·        Foreign Corrupt Practices Act (FCPA)
Vital Records Management Statutes,
Specifications for the retention and disposition of corporate electronic and hardcopy records, e.g., IRS Records Retention requirements.
2003 ISACA
Task 5 (continued)
Some sources of regulations can include but are not limited to (continued):
Foreign Corrupt Practices Act (FCPA)
Vital records management statutes
*
See previous pages for speaker notes.
Note to Instructor: This would be a good spot to ask the group if they have experienced other sources of regulations. The instructors can provide information from their experience as well.
Also ask the group if theses sources perform enforcement activities (fines, audits) or if they are more geared towards a dissemination of prudent business practices. Ask for the group’s experiences with any of these bodies.
2003 ISACA
  Establish and maintain information security policies that support business goals and objectives.
Process needs to be established for the development and maintenance of security policies
Should become a vital part of overall governance
Need to be continuously monitored and updated
Good practices demonstrate that a security template be established
Examples and supporting information for policies can be found:
ISO/IEC 17799
BS 7799
Task 6: Establish and maintain information security policies that support business goals and objectives.
 
In developing security policies, it is good practice to use an established template. Developing a policy from scratch may omit certain areas inadvertently. There is a wealth of sources that can be tapped for input into a security policy including:
·        ISO/IEC 17799
·        BS 7799
 Steps for establishing and maintaining information security policies can include:
Implementing a process for the development and maintenance of security policies
Identifying the personnel responsible for various aspects of the security policy including approval
Researching existing organizational policies such as personnel and physical security policies
Developing the policy based on templates that already exist
Implementing a review of the security policy into the organization’s change management process
*
 
Steps for establishing and maintaining security policies can include:
·        Implementing a process for the development and maintenance of security policies
·        Identifying the personnel responsible for various aspects of the security policy including approval
·        Researching existing organizational policies such as personnel and physical security policies
·        Developing the policy based on templates that already exist
·        Implementing a review of the security policy into the organization’s change management process
·        Developing an awareness program to educate the organizations employees on relevant aspects of the security policy
Note to instructor: Start a discussion stressing the importance of security policies and the difficulty (but common practice) of implementing technology solutions without strong and comprehensive security policies. Discuss how it is possible to implement a technology solution that fixes a security symptom without addressing the core vulnerability.
2003 ISACA
  Ensure the development of procedures and guidelines that support information security policies.
Technical and nontechnical procedures guidelines should be built to support information security policies including, technical:
Backup and recovery
Monitoring of policy compliance
*
Task 7: Ensure the development of procedures and guidelines that support information security policies.
There are procedures and guidelines that should be built to support information security policies. These can include technical procedures and guidelines regarding the components of an information technology environment including:
·        Backup and recovery
·        Monitoring of policy compliance
2003 ISACA
Technical and nontechnical procedures guidelines should be built to support information security policies including, nontechnical:
Review procedures
Authorization procedures
An overall process including the following should be established regarding security policies and the overall security program:
Assess
Design
Implement
Maintain
In addition, nontechnical procedures and guidelines should be considered such as:
·        Review procedures
·        Authorization procedures
 
 
 
 
2003 ISACA
  Develop business case and enterprise value analysis that support information security program investments.
Information security manager should seek to justify security projects value through methods such as:
Return On Investment (ROI)
Will likely need to present justification to senior management
*
Task 8: Develop business case and enterprise value analysis that support information security program investments.
 
 
 
Recently, the advances in single sign-on and user access provisioning technologies and procedures have resulted in savings in time and cost over traditional manual administration techniques. There are a number of examples that compare the costs of traditional processes against the newer procedures, and these can be used in the business case that most information security managers need to develop.
2003 ISACA
  Several organizations including universities have begun to promote return on security investment methodologies. One example is below:
(R-E) + T = ALE
“T” is the cost of the intrusion detection tool
“E” is the dollar savings gained by stopping any number of intrusions through the introduction of an intrusion detection tool.
“R” is the cost per year to recover from any number of intrusions.
*
One example of ROSI comes from University of Idaho researchers who developed this formula for calculating the ROI of using intrusion detection as a security defense:
(R-E) + T = ALE
“T” is the cost of the intrusion detection tool.
“E” is the dollar savings gained by stopping any number of intrusions through the introduction of an intrusion detection tool.
“R” is the cost per year to recover from any number of intrusions.
 
 
 
Note: The above detailed calculation is for informational purposes only and no such calculation will be contained in the CISM examination.
Note to Instructor: Provide an example to the group of how developing a sound business case for one of your security projects helped gain the approval for the project.
2003 ISACA
Information security policies and procedures are required to protect and organizations information
Information security manager is responsible to understand:
the business need for security
its importance to the organization
*
 
Information technology security is a subset of information security and tends to focus on technical mechanisms necessary to protect electronic data.
2003 ISACA
2003 CISM Review Course
Knowledge Statement 1 (cont)
The information security manager should be aware of generally accepted security concepts including:
Confidentiality
Integrity
Availability
*
 
The information security manager should be aware of generally accepted security concepts including:
·        Confidentiality
·        Integrity
·        Availability
Knowledge of the relationship between information security and business operations
The relationship needs to be in place and maintained and can be developed through activities such as:
Understanding the business mission
Obtaining upper management understanding and support
Developing security procedures and guidelines that align with the business objectives of the organization
Establishing a security governance process
*
Knowledge of the relationship between information security and business operations
The relationship between information security and business operations needs to be in place and maintained. This relationship can be developed through activities such as:
·        Understanding the business mission
·        Obtaining upper management understanding and support
·        Developing security procedures and guidelines that align with the business objectives of the organization
·        Establishing a security governance process
 
Information Security Governance: Guidance for Boards of Directors and Executive Management, IT Governance Institute, 2001, www.itgovernance.org
2003 ISACA
Knowledge Statement 3
Knowledge of techniques used to secure senior management commitment and support of information security management
Formal presentations are most used technique
Used to educate and communicate key security program aspects
Should employ common business practices including:
Aligning security objectives with business objectives
Identifying budget items so that senior management can quantify the costs of the security program
Utilizing commonly accepted project risk/benefit models, such as TCO or ROI
*
Knowledge of techniques used to secure senior management commitment and support of information security management
 
The formal presentation to senior management often is used as a means to educate and communicate key aspects of the overall security program. This acceptance is facilitated by the information security manager applying common business case aspects during the acceptance process. These can include:
·        Aligning security objectives with business objectives enabling senior management to understand and apply the security policies and procedures
·        Identifying budget items so that senior management can quantify the costs of the security program
·        Utilizing commonly accepted project risk/benefit models, such as total cost of ownership (TCO) or return on investment (ROI), to quantify the benefits and costs of the security program
·        Defining the monitoring measures that will be included in the security program
·        Utilizing methods such as balanced business scorecards provides senior management a means of analyzing the progress of the security program
·        Requiring that risk management be integrated into the operation of the security program
·        Ensuring that clear accountabilities/responsibilities are defined
 
Should employ common business practices including (continued):
Utilizing methods such as balanced business scorecards
Requiring that risk management be integrated into the operation of the security program
Ensuring that clear accountabilities/responsibilities are defined
*
 The formal presentation to senior management often is used as a means to educate and communicate key aspects of the overall security program. This acceptance is facilitated by the manager applying common business case aspects during the acceptance process. These can include:
·        Aligning security objectives with business objectives enabling senior management to understand and apply the security policies and procedures
·        Identifying budget items so that senior management can quantify the costs of the security program
·        Utilizing commonly accepted project risk/benefit models, such as total cost of ownership (TCO) or return on investment (ROI), to quantify the benefits and costs of the security program
·        Defining the monitoring measures that will be included in the security program
·        Utilizing methods such as balanced business scorecards provides senior management a means of analyzing the progress of the security program
·        Requiring that risk management be integrated into the operation of the security program
·        Ensuring that clear accountabilities/responsibilities are defined
 
 
IT Governance Institute, Board Briefing on IT Governance, Rolling Meadows, Illinois, 2001, www.itgi.org/resources.htm , (provides senior level guidance on IT Governance)
2003 ISACA
Knowledge of methods…