Your SlideShare is downloading. ×
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
TechSecure,  Trust Services, Principles, Criteria 2009
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

TechSecure, Trust Services, Principles, Criteria 2009

1,974

Published on

TechSecure, Trust Services, Principles, Criteria 2009

TechSecure, Trust Services, Principles, Criteria 2009

Published in: Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,974
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
37
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Compiled by; Mark E.S. Bernard, CISA, CRISC, CGEIT, CISSP, CISM,ISO 27001 Lead Auditor, SABSA-F2 Security Service Management *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 2. • Introduction• TSPC Overview• Project Charter• GAP Assessment• GAP Report• Next Steps*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 3. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 4. The GAP Assessment is often used to determine how closely anorganization has come to successfully implementing or adopting a bestpractice. To take the GAP Assessment one step further we have adoptedthe approach used to assess maturity of business processes.Our strategy adds value to our approach by allowing us to provide greaterinsight. We do not just determine if the Enterprise has come close toadopting a best practice, but we can also say how close they came andhow well they are doing across the board. Typically many companies arestronger in some areas and weaker in others.In addition, while the GAP Assessment and Maturity Assessment provideimportant intelligence about the current state of the Enterprise ISOsubstitutes the concepts of compliance with conformity . ISO focuses onopportunities for improvement versus compliance or noncompliance. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 5. Mark E.S. Bernard, CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001, SABSA-F2 Information Security, Privacy, Governance ,Risk Management, ConsultantMark has 24 years of proven experience within the domain of Information Security, Privacy & Governance. Mark has led teams of 30 ormore as a Director and Project Manager and managed budgets of $5 Million +. Mark has also provided over sight as a senior managerduring government outsourcing contract valued at $300 million and smaller contracts for specialized services for ERP systems andsecurity testing. Mark has led his work-stream during RFP process, negotiations, on-boarding, contract renegotiation and as ServiceManager. Mark has architected information security and privacy programs based on ISO 27001 and reengineered IT processes based onService Manager ITIL/ISO 20000 building in Quality Management ISO 9001.Mark is a volunteer on the local professional associations for HTCIA, ISACA, ISSA, IIA. Mark has also been published in trademagazines and on the Internet in addition to being sought after as an expert by local radio, news papers and television. Mark has taught asa Professor of a third-year iSeries systems engineering course and led many workshops, led keynote speeches. Mark’s expertise has beenapplied in a number of verticals including Financial Services, Banking, Insurance, Pharmaceutical, Telecommunications, Technology,Manufacturing and Academia. Some of Mark’s recent project highlights are as follows:Accomplishments: • In 2012 Assisted a Executive Relocation Organization to ISO/IEC 27001 Registration/Certification • In 2012 Assisted a Nanotechnology Fabrication Facility to ISO/IEC 27001 Registration/Certification • In 2012 Assisted a Cloud Software as a Service Provider to ISO/IEC 27001 Registration/Certification • In 2010/11 co-led US based Cloud Service Provider ISO/IEC 27001 Registration/Certification • In 2009 led 1st Canadian Public Sector ISO/IEC 27001 Registration/Certification • In 2009 led On-boarding Project for ERP Service Provider • In 2009 led Technology and Operations work-stream during Negotiated Request for Proposal • In 2007 led 1st Canadian Online banking, Trade & Wholesale Service to ISO/IEC 27001 Registration /Certification • In 2005 led Privacy, Security, and Privacy Compliance work-stream during outsourcing to alternate service delivery organization • In 2002 led Information Security Program development for International Food Manufacturer. • In1999 led Independent Security Assurance Review of financial systems located off shore. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 6. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 7. Introduction.01 This section provides guidance to a practitioner providing attestationservices, advisory services, or both that address IT-enabled systems includingelectronic commerce (e-commerce) systems1 and privacy programs. Theguidance is relevant when providing services with respect to system security,availability, processing integrity, confidentiality, and privacy..02 The guidance provided in this section includes: • trust services principles and criteria; • examples of system descriptions; and • illustrative practitioner reports for trust services engagements. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 8. Trust Services.03 The term trust services is defined as a set of professionalattestation and advisory services based on a core set of principlesand criteria that addresses the risks and opportunities of ITenabled systems and privacy programs. Trust services principlesand criteria are issued by the Assurance Services ExecutiveCommit-tee of the AICPA (the committee). *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 9. Attestation Services.04 Attestation services include examination, review,2 and agreed-uponprocedures engagements. In examination and review engagements, thereporting practitioner expresses an opinion. In an examinationengagement, for example, there is an opinion as to whether controlsover a defined system were operating effectively to meet the criteria forsystems reliability. In an agreed-upon procedures engagement, thepractitioner does not express an opinion but rather performsprocedures agreed upon by specified parties and reports the findings.Attestation services are developed in accordance with AT section 101,Attest Engagements (AICPA, Professional Standards, vol. 1). *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 10. A system consists of five key components organized to achieve a specifiedobjective. The five components are categorized as follows: • Infrastructure. The physical and hardware components of a system (facilities, equipment, and networks) • Software. The programs and operating software of a system (systems, applications, and utilities) • People. The personnel involved in the operation and use of a system (developers, operators, users, and managers) • Procedures. The programmed and manual procedures involved in the operation of a system (automated and manual) • Data. The information used and supported by a system (transaction streams, files, databases, and tables) *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 11. Advisory Services.05 In the context of trust services, advisory services includestrategic, diagnostic, implementation, sustaining, and managingservices using trust services principles and criteria. Practitionersproviding such services follow CS section 100, Consulting Services:Definitions and Standards (AICPA, Professional Standards, vol. 2).The practitioner does not express an opinion in theseengagements. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 12. Principles, Criteria, and Illustrative Controls.06 The following guidance sets out (1) principles, which are broad statementsof objectives, and (2) specific criteria that should be achieved to meet eachprinciple.Criteria are benchmarks used to measure and present the subject matter andagainst which the practitioner evaluates the subject matter. The attributes ofsuitable criteria are objectivity, measurability, completeness, and relevance.The committee has concluded that the trust services criteria have all theattributes of suitable criteria. Furthermore, the publication of this guidancemakes the criteria available to users. Trust services principles are used todescribe the overall objective; however, the practitioner’s opinion makesreference only to the criteria. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 13. .07 In the trust services principles and criteria, the criteria are supportedby a list of illustrative controls that, if operating effectively, enable asystem to meet the criteria.These illustrations are not intended to be all-inclusive and are presentedas examples only. Actual controls in place at an entity may not beincluded in the list, and some of the listed controls may not beapplicable to all systems and client circumstances. The practitionershould identify and assess the relevant controls that the client has inplace to satisfy the criteria. The choice and number of those controlswould be based on such factors as the entitys management style,philosophy, size, and industry. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 14. .08. The following are the types of engagements a practitioner may performusing the trust services principles and criteria: • Reporting on the operating effectiveness of an entity’s controls over the system. • Reporting on the operating effectiveness of an entity’s controls and the entity’s compliance with its commitments related to the trust services principle(s) and criteria. • Reporting on the suitability of the design of the entity’s controls over the system to achieve the trust services principle(s) and criteria, if the controls were operating effectively. (This engagement would typically be performed prior to the system’s implementation.) *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 15. Consistency with Applicable Laws and Regulations, DefinedCommitments, Service-Level Agreements, and Other Contracts.09 Several of the principles and criteria refer to “consistency withapplicable laws and regulations, defined commitments, service-level agreements, and other contracts.” Management isresponsible for identification of and compliance with laws andregulations. It is beyond the scope of the engagement for thepractitioner to undertake identification of all relevant “applicablelaws and regulations, defined commitments, service-levelagreements, and other contracts.” *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 16. Foundation for Trust Services—Trust Services Principles and Criteria.10 The following principles and related criteria have been developed by the AICPA andthe Canadian Institute of Chartered Accountants (CICA) for use by practitioners in theperformance of trust services engagements: a. Security. The system is protected against unauthorized access (both physical and logical). b. Availability. The system is available for operation and use as committed or agreed. c. Processing integrity. System processing is complete, accurate, timely, and authorized. d. Confidentiality. Information designated as confidential is protected as committed or agreed. e. Privacy. Personal information5 is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA (found in appendix D [paragraph .48]). *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 17. .11 The trust services principles and criteria of security, availability, processingintegrity, and confidentiality are organized into four broad areas: a. Policies. The entity has defined and documented its policies relevant to the particular principle. (The term policies as used here refer to written statements that communicate managements intent, objectives, requirements, responsibilities, and standards for a particular subject.) b. Communications. The entity has communicated its defined policies to responsible parties and authorized users of the system. c. Procedures. The entity placed in operation procedures to achieve its objectives in accordance with its defined policies. d. Monitoring. The entity monitors the system and takes action to maintain compliance with its defined policies. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 18. .12 For the trust services principles and criteria ofsecurity, availability, processing integrity, andconfidentiality, a two-column format has beenused to present the criteria. The first columnpresents the criteria for each principle, and thesecond column provides illustrative controls. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 19. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 20. .13 A system description is used to delineate the boundaries ofthe system under examination for the trust ser-vices principlesand criteria of security, availability, processing integrity, andconfidentiality.For engagements covering an entity’s compliance with itscommitments, those commitments should be included in systemdescription or should otherwise accompany the report. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 21. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 22. .14 A reliable system is one that is capable of operating withoutmaterial error, fault, or failure during a specified period in aspecified environment.A practitioner may provide a report on systems reliability thataddresses the trust services principles and criteria of security,availability, and processing integrity. These criteria are used toevaluate whether a system is reliable. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 23. .15 The trust services principles and criteria of privacy areorganized into two broad areas: a. Policies and communications. Privacy policies are written statements that convey management’s intent, objectives, requirements, responsibilities, and standards concerning privacy. Communications refers to the organization’s communication to individuals, internal personnel, and third par-ties about its privacy notice and its commitments therein and other relevant information. b. Procedures and controls. The other actions the organization takes to achieve the criteria. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 24. .16 The scope of a privacy engagement can cover (1) either all personal information or only certain identified types of personal information, such as customer information or employee information, and (2) all business segments and locations for the entire entity or only certain identified segments of the business (for example, retail operations but not manufacturing operations or only operations originating on the entity’s Web site or specified Web domains) or geographic locations (such as only Canadian operations).The scope of a privacy engagement should cover all of the activities in theinformation life cycle that consists of the collection, use, retention, disclosureand destruction, de-identification, or anonymization. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 25. .17 For the trust services principles and criteria of privacy, a three-columnformat has been used to present the criteria.The first column contains the measurement criteria for each principle—the attributesthat the entity must meet to be able to demonstrate that it has achieved the principle.The second column provides illustrative controls and procedures, which are designed toenhance the understanding of the criteria. The illustrations are not intended to becomprehensive, nor are any of the illustrations necessary for an entity to have met thecriteria.The third column presents additional considerations, including supplemental in-formation such as good privacy practices and selected requirements of specific laws andregulations that pertain to a certain industry or country. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 26. Effective Date.18 The trust services principles and criteria are effective as ofSeptember 15, 2009. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 27. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 28. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 29. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 30. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 31. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 32. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 33. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 34. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 35. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 36. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 37. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 38. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 39. ExclusionsPlease note clause 1.2 - Any exclusion of controls found to benecessary to satisfy the risk acceptance criteria needs to bejustified and evidence needs to be provided that the associatedrisks have been accepted by accountable persons.Where any controls are excluded, claims of conformity to thisInternational Standard are not acceptable unless such exclusionsdo not affect the organization’s ability, and/or responsibility, toprovide information security that meets the securityrequirements determined by risk assessment and applicablelegal or regulatory requirements. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 40. We are not just seekingevidence of some policy,procedure or standard toconfirm that it is in placebecause in reality weexpect that many are.We will also beattempting to identifythe level of maturitybased on a commonscale to help us in ourassessment of controleffectiveness. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 41. Within the ‘Control Effectiveness’ we assess the current status of existing controlsbased on a scale of 1 – 5. The ‘X’/’Y’ Axis tracks the various stages of adoption as process maturity evolves, while the ‘Z’ Axis tracks the business benefits as incidents and faults decrease lowering costs. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 42. Assessing the Maturity of Conformity with best practices such as ISO/IEC27001:2005 provides management with greater insight facilitating decisionmaking, including prioritization, resource and capital allocation and thenecessary amount of detail required for corrective actions and /or preventiveactions designed to close the delta. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 43. Within the scale of 1 – 5 less conformity and maturity results in a higherscore which also increases the priority rating for management decisionmaking. As a result policies, procedures and standards that are completelymissing will get the necessary resources and capital to close these deltas. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 44. The GAP Assessment worksheet requires that accountability be clearly identified and thatthe location of evidence of conformity be provided for review to verify and validate thelevel of maturity assigned. 127 control objectives based on 600 control points are TrustServices Principles and Criteria in comparison to the 235 listed in ISO/IEC 27001. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 45. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 46. The Heat Map provides an effective communication tool to summarize the GAP Assessment identifying where management needs to prioritize their efforts to get the most value and reduce risk to Enterprise Assets.*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 47. The Star Chart provides valuable insight into current state and future state - where are we today ? Where do we need to be to maximize value delivery and achieve strategic and tactical goals?*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 48. The following table identifies the supplemental information that is required in addition tothe GAP Assessment to facilitate the communication of our to be state and target state.*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 49. The Knowledge Capability Chart provides valuable insight into current state of Knowledge Management and potential areas where gaps in knowledge exist.*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 50. The Boston Square provides valuable insight by identifying potential areas of improvement where the Enterprise can achieve the most value and business benefit.*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 51. The following table identifies the supplemental information that is required in addition to the GAP Assessment to facilitate the communication of high value opportunities for improvement and business benefits.*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Management Area Affected Detailed Description Quantifiable Benefit Strategic Benefit Risks of Implementing Risk of Not Implementing Groups Impacted
  • 52. Conformity with Annex ‘A’ Control Objectives. Conformity with Mandatory Control Objectives. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 53. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 54. • Executive Endorsement of ISMS Project Delta• Executive Endorsement for ISMS project charter• Executive Endorsement for ISMS project budget *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  • 55. Mark E.S. Bernard, CISSP, CISM, CRISC, CISA, CGEIT, CNA Skype; Mark_E_S_Bernard Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

×