2. The size of security team depends on
• Size of the enterprise
• Systems environment (distributed versus centralized)
• Number of components in the operating environment
• Organizational and management structure of the
enterprise
• Number and locations of operational sites (i.e.,
national versus international)
• How the sites are interconnected
• Assessed risk
• IT Strategic Plan
• IT budget
3. Key challenges
• Migration of the security function from a
centralized, mainframe-based function to an
effective governing body in the distributed
systems environment.
• Understanding the different security
requirements for all of the technology
implementations within the enterprise.
• Obtaining adequately budgeted resources.
• Overutilization of employees.
4. Who are the key players of the security
organization?
• The Chief Information Officer (CIO), the Chief
Financial Officer (CFO), the Security Officer,
security coordinators or liaisons, application
coordinators, Human Resources, Legal
Counsel, help desk, department management,
and all system and information users.
5.
6. The Executive Committee for Security
• Responsible for ensuring that the objective of
a secure operating environment, through the
establishment of an ISA, is clearly defined in
the enterprise strategic plans.
• Include the CEO, the CFO, the COO, the CIO,
the Security Officer, department or business
unit directors, advisors to executive
management, and/or members of the Board
of Directors
7. The Chief Information Officer
• IT policy and aligning IT strategy with business
strategies
• Business technology planning process,
including the sponsorship of collaborative
planning processes
• New and existing applications development
for enterprise initiatives and overall
coordination for business unit or divisional
initiatives
8. • IT infrastructure and architecture (e.g.,
computers and networks) operations and
investment decisions
• Sourcing and purchase decisions, which include
make versus buy decisions relative to
outsourcing, versus in-house provisioning of IT
services and skills
• Establishing partnerships, including strategic
relationships with key IT suppliers and
consultants
• Technology transfer by providing enabling
technologies that make it easier for customers
and suppliers to do business with the enterprise
as well as increase revenue and profitability
9. • Customer satisfaction with internal and
external clients to ensure continuous
customer satisfaction
• Implementation of security initiatives related
to all IT components to protect the
infrastructure and reduce risk to a
manageable and acceptable level
• Providing training for all IT users to ensure
productive use of existing and new systems
10. The Chief Financial Officer
• Determining and maintaining the adequacy of internal
controls to ensure that enterprise assets are
safeguarded and liabilities are appropriately minimized
• Ensuring the adequacy of accounting systems and
procedures to enable the accurate reporting of the
company’s financial position and operating results, and
the proper recording of corporate transactions
• Directing the preparation of internal monthly,
quarterly, and annual financial and operating results
11. • Ensuring the accurate and timely preparation of
external SEC and shareholder reports, as well as
those required by other institutions
• Overseeing the development of financial
information systems enterprise wide to promote
the timely and accurate assimilation,
consolidation, and reporting of financial results
and position
• Supporting the ongoing IS projects and improving
the strategic capabilities of the Controller’s
function to balance its existing tactical strength
12. The Security Officer
• Communicate with executive management on the risks and
controls related to the business and operational systems
environment
• Ensure that appropriate user access and authentication controls
are in place
• Ensure that the documented security policies, standards, and
procedures are reviewed, updated, and maintained periodically
by appropriate individuals
• Evaluate security exposures, misuse, or noncompliance
situations, and ensure implementation of security controls to
address those incidences
• Ensure that all business unit/department Security Coordinators
understand and execute their security responsibilities in
accordance with related policies, standards, and procedures
13. • Organize and conduct periodic Security Team
meetings
• Research security Web sites, CERT advisories,
publications, vendor correspondence on
application patches, updates, and version
releases, and the media for recent exposures and
their fixes in operating systems and networks
• Develop and implement the Security Awareness
Program with assistance from Security Team
members
• Develop and implement the Review and
Compliance Program with assistance from
Security Team members
15. • When the ISA in the enterprise has become
mature through several cycles of assessment,
mitigation, audit, and effective compliance
Security Officer Placement (Mature
Security Life Cycle)
16.
17. The Security Team
• Represent particular security and business continuation issues
and concerns within each enterprise location
• Identify risks within each member’s area of concentration and
ensure that appropriate controls are implemented to address
these risks
• Develop, review, and recommend all security policies, standards,
and procedures that will be implemented across sites
• Develop and implement an Information Security Awareness
Program for all information technology administrators,
development personnel, users, and their management, and
administer the implementation of this program within their area
• Create and maintain the security architecture as well as
champion the implementation process
18.
19. Security Coordinators or Liaisons
• The coordinator’s primary responsibility is to
ensure that appropriate user access within the
scope of their business function is maintained.
• Ensuring that application access forms are
initiated for existing and new users within the
respective departmental area
• Ensuring that access is modified or deleted when
employees and non-employees (i.e., consultants,
contractors, business partners) operating within
their business function or site are transferred or
terminated
20. • Conducting user security awareness within
their departmental function
• Ensuring that the enterprise Confidentiality
Agreement and exit interview forms are
signed by all users operating within their
department or area of responsibility
• Actively participating as a member of the
Security Team
• Coordinating with the Security Officer on all
security-related matters
21. Departmental Management
• Departmental management is responsible for
establishing the overall security strategy for
department information.
• Classification of information owned by the
department.
• Classifications will indicate the level of
sensitivity and availability required for the
information.
22. Network and Application
Administrators
• Network and application administrators are
technically responsible for the operation of the
network or application.
• Risk assessment and the identification of
vulnerabilities
• These administrators are responsible for assisting
the departmental manager in implementing and
managing information technology policies,
procedures, standards, and departmental
guidelines for a particular component of the
operating environment.
23. • The difference between the security
coordinator (liaison) and the network
administrator is that the security coordinator
works within the business unit and is aware of
the appropriate access policies for each
employee within that department or business
unit.
• The network and application administrators
actually implement the access control policies
for each individual but may have no
knowledge if the access is appropriate.
24. Human Resources
• Human Resources and departmental
management are responsible for providing timely
information to the enterprise LAN managers and
application administrators about employee
termination or transfers so that appropriate steps
can be taken to revoke or change access to
systems and information.
• New hires will be given the opportunity to read
the Security Policy and Confidentiality Agreement
and sign an acknowledgment form.
25. Legal Counsel
• Responsible for reviewing all security policies
and procedures for enforceability.
• Breach of confidentiality, misuse of
information, or destruction of information,
files, or programs are often cause for
termination or the subject of legal liability.
• The law indicates that monitoring procedures
will be disclosed to the users of the
application or resource.
26. Audit
• Four levels of audit functions:
– Internal audit function, including electronic data
processing (EDP) auditing
– External audit function required by the SEC, NYSE,
NASDAQ, and AMEX and performed by public
accounting and auditing firms
– Component audits performed by the system
administrators and security liaisons; and
– Compliance audits performed by the Security
Officer and Security Team.
27. Internal Audit
• Primary responsibility it is to assess risk,
measure compliance to policy, validate
financial reporting, and provide corporate
governance.
28. • Understand the organization’s business, the
accounting process, and internal control
concepts.
• Assess risk at the account and potential error
levels.
• Plan the audit approach and test of controls.
• Test controls and ensure that adequate
internal controls are in place.
• Review the corporate code of conduct and
monitor compliance with it.
29. • Ensure integrity and objectivity of financial statements.
• Review financial statements and recommend their
approval to the board.
• Oversee the company quarterly reporting process.
• Consider selection, implementation, and impact of
significant accounting policies.
• Review management judgment of accounting methods
and estimates.
• Understand financial and operational issues.
• Participate in activities designed to prevent and detect
fraud.
• Remain independent of management.
30. • Review legal company obligations and pending
litigation.
• Review company insurance coverage.
• Review compliance reports to regulatory agencies.
• Review company budgets and executive expenses.
• Participate in the selection of external auditors to
enhance their independence.
• Review external auditors’ findings and communicate
with external auditors on financial issues.
• Monitor management responses to external auditors.
31. IS auditor
• Analyze a system or component to formulate the
best approach for performing the audit.
• Prepare audit work-plans for each system or
component.
• Review the system’s processes and
documentation to determine compliance with
stated data processing standards.
• Review the system’s input and output to verify
the correctness of the transaction processing and
reports.
32. • Ensure that systems produce the desired information.
• Evaluate and review proposed applications to provide
input into the design of new systems regarding internal
controls and adaptability.
• Periodically review data processing facilities to
ascertain organizational and operational effectiveness.
• Provide audit support to other audit staff.
• Coordinate the use of IS audit procedures for
operational and financial audits.
• Examine computer systems documentation and output
to ensure the presence of adequate controls.
• Develop audit reports and recommendations to IS and
business management that identify irregularities or
deviations from established policies and procedures.
33. External Audit
• External auditor :- financial statement auditor
• Auditors perform procedures to obtain
sufficient evidence to express an opinion as to
whether an entity has maintained, in all
material respects, effective internal control
over financial reporting as of a point in time
based on “control criteria.”
34. Control criteria includes
• The control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring
35. Control criteria categories
• Effectiveness and efficiency of operations
• Compliance with laws and regulations, and
• Reliability of financial reporting.