Your SlideShare is downloading. ×
  • Like
yip.ppt
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
269
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Enforcing Business Rules and Information Security Policies through Compliance Audits Frederick Yip, Pradeep Ray, Nandan Paramesh School of Computer Science & Engineering School of Information Systems & IT Management University of New South Wales Sydney, Australia April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
  • 2. Outline  Background – What the industry are doing?  Problem – What are the challenges?  Motivation – How these challenges motivated the research?  XISSF – Compliance Mechanism  Limitations & Future Work – Holistic Framework  Conclusion April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
  • 3. Background  Ever-increasing pressure and responsibilities for organizations to fulfill the requirements enforced by different regulations  By actively assessing corporate security compliance base on renowned standards, guidelines and best practices, e.g. CobiT, ISO17799.  secure trust and recognitions from customers and business partners  US$15.5 Billion in 2005  US$5.8 Billion for Sarbanes Oxley Alone in 2005  Estimated to exceed US$80 billion over the next 5 years on Compliance Spending  HIPAA affects organizations that maintain medical health information  New! European 8th Directive – SOX Equivalent in EU – Currently in Draft Mode April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
  • 4. Standards  CobiT v3, CobiT v4  Control Objectives for Information and related Technology  ISO/IEC17799:2000, ISO/IEC17799:2005  Information technology - Security techniques - Code of practice for information security management  AS/NZ17799:2001  Information technology - Code of practice for information security management  BSI  IT Baseline Protection Manual  BS7799, ISO27001  Information Technology - Security Techniques - Information Security Management Systems – Requirement April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
  • 5. The Problem  Multi-regulation  3 out of 4 organizations must comply with 2 or more regulations  43% organizations must comply with 3 or more regulations  Too many standards – which one should you use?  Regulations  Organization Structure  Jurisdiction  Industry  Auditor  Standards are different  Some overlapping  Changes from time to time (versions)  Manual Process – Time Consuming  Co-ordination and co-operation from Business Units  Subjective April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
  • 6. Compliance Process  Legislation and regulation are Legislation (Textual Informaion) CIO ambiguous to IT Legislation (Textual Information) Standard (Textual Information)  The need for a common Infosec specification format that can be distributed to other Business Units Legal & Compliance Expert Standard  What about multiple information Regional ` IT Manager security standards?  The need for a uniform way of checking compliance to policies Standard Expert(s) and best practices Standard Standard Branch ` `  The need for a uniform way to IT Manager report audit and compliance results ... Checklist System ` Administrator Traditional Checklists April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
  • 7. eXtensible Information Security Specification Format (XISSF)  What is it?  Common Infosec specification format and platform - not vendor or firm specific  Based on XML  Textual descriptions of the security clauses or safeguards within Infosec standards are restructured and codified  XISSF is capable of:  Encapsulating and segregating the clauses extracted from different textual standards  Heterogeneous format of clauses from multiple standards can be encapsulated in a single XISSF document.  Transportable between business units - across a global business.  Express information security specification explicitly – decreases ambiguity.  Uniform way of checking compliance to policies and best practices  A machine interpretable format for computer-aided assessment on security compliance. April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
  • 8. XISSF XISSF GROUP CLAUSE  Foundation for providing automated support for OBJECTIVE compliance audits.  Addresses the problem of heterogeneous CHECKPOINT information security standards  Agent can be designed to perform routine and CHECKPOINT subjective tasks based on XISSF – mobile agents and multi-agents systems.  Tags  Enclosed weighting metric for each checkpoint in the GROUP due, reminder, reference … clauses for audit and assessment purposes. CLAUSE id, required, role …  Atomic actionable questions or statements identified as checkpoints. OBJECTIVE title, pre-req… CHECKPOINT description, weight, required threat type, constraints, pre-requisites, … CHECKPOINT description, weight, required threat type, constraints, pre-requisites, … April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
  • 9. Regulations/Standards/Clauses/Checkpoints SOX ... HIPAA Government Regulations ISO Regulations CobiT 17799 ISF ITIL ... BSI satisfied by Infosec standards Security clauses ... extracted from standards ISO 17799:2005 CobiT v4 ... 9.2.2 DS4 Checkpoints extracted from clauses Cobit v4 DS4.1 April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
  • 10. Sample Clause - ISO17799 <?xml version="1.0" encoding="UTF-8"?> <xissf xmlns="http://www.cse.unsw.edu.au/xissf" xmlns:xissf="http://oval.mitre.org/XMLSchema/xissf" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="0.2" xsi:schemaLocation="http://www.cse.unsw.edu.au/xissf xissf.xsd"> <status date="2006-01-06">draft</status> <title>XISSF Sample</title> 5.1.1 Information security policy document <description>XISSF - eXtensible Information Security Specification Format. This document defines a list of security specification policies that should be enforced on Control the organization. This can vary from technical policies to abstract business level processes. An information security policy document should be approved by management, </description> <group due=“000024052006” reminder=“000012052006”> and published and communicated to all employees and relevant external parties. <reference> Implementation guidance <title>ISO17799</title> <organization>International Standard Organization</organization> The information security policy document should state management commitment <format>ISO17799:2005</format> <version>2005</version> and set out the organization’s approach to managing information security. The <url>http://www.iso.org</url> </reference> policy document should contain statements concerning: <clause id="5.1.1" required="true" weight="1“ prereq=“6.1.5”> <title>Information security policy document</title> a) a definition of information security, its overall objectives and scope and the <objective>An information security policy document should be approved by importance of security as an enabling mechanism for information sharing (see management, and published and communicated to all employees and relevant external parties. </objective> introduction); <checkpoint required="true" weight="1“ role=“IT Manager”> <description> The information security policy document should state management b) a statement of management intent, supporting the goals and principles of commitment and set out the organization’s approach to managing information security. </description> information security in line with the business strategy and objectives; </checkpoint> c) a framework for setting control objectives and controls, including the structure <checkpoint required="true" weight="1"> <description>The policy document should contain statements concerning a of risk assessment and risk management; definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information …. sharing.</description> </checkpoint> <checkpoint required="true" weight="1"> <description>The policy document should contain statements concerning a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives; </description> </checkpoint> April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
  • 11. Scenario HIPAA Regulated by SOX & HIPPA Public Company Satisfy by implementing Listed in United States ISO17799 & CobiT Australia Germany US Subsidiary Branch Office Branch Office Health Services Regulated by HIPPA HIPAA April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
  • 12. Limitation & Future Work  Preliminary in nature but essential for any future work  Checkpoints currently in English – Human Intervention  Improve automation  Ontology based Schema for each governance standard  Application of Concept Learning/Extraction Methodologies for IT Standards  Assessment Strategy Based on XISSF  Agent Based Compliance Management based on XISSF April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
  • 13. The Big Picture Involvement Legislation X Legislation Y Legislation Z Legislation (Textual Informaion) Legislation CIO Legal & Compliance (Textual Information) Standard Expert Standard A Standard B (Textual Information) Legal & Compliance Expert Standard Standard Expert(s) Regional ` IT Manager Standard Expert(s) XISSF Standard Standard Branch Branch ` ` IT Manager IT Manager Interface ... Interface Agent Agent Checklist System ` Administrator IT Manager/ ` IT Manager/ System ` Administrator System Administrator April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales
  • 14. Conclusion  An approach and mechanism to express explicit information security requirements and compliance audits in a codified format.  Increase portability especially for global business  Provided a foundation to enable computer assisted compliance auditing.  Normalization of XISSF decreases redundant compliance tasks and identify conflicts  Reduce interaction time in compliance time, improve efficiency  Better modularization to segregate compliance tasks  Role-based  Ability to consolidate and extend multiple & heterogeneous infosec specifications  The process of compliance is an important component of ensuring IT security controls are employed and used correctly.  It is a continuous effort! April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales