Security, Audit and Compliance: course overview

  • 812 views
Uploaded on

The presentation I use to introduce the post-grad module on information security and governance I teach at Edinburgh Napier University. If you want to find out more, google for 'INF11109' on the …

The presentation I use to introduce the post-grad module on information security and governance I teach at Edinburgh Napier University. If you want to find out more, google for 'INF11109' on the napier.ac.uk site.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to like this
No Downloads

Views

Total Views
812
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
25
Comments
1
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Security Audit & Compliance Subject overview Security Audit & Compliance Peter Cruickshank
  • 2. • Scope and context • What do we mean by security • Topics we will cover Overview • The aim is to let you see the scope • And to get you familiar with the concepts and issues 2SAC
  • 3. Stereotype 1 3SAC
  • 4. Stereotype 2 4SAC
  • 5. The aim of this course Mutual understanding Mutual understanding TechiesTechies ManagersManagers 5SAC
  • 6. THE SCOPE OF THE INFORMATION SYSTEM 6SAC
  • 7. Six components of an information system 7SAC Procedures People Data Applications Networks Hardware ?
  • 8. Another view: 8SAC Computing system Computing system Computing environment Computing environment Application environment Application environment Socio- economic environment Socio- economic environment
  • 9. IS in context: Application Environment • Growing business dependence on IS/IT • Development of general purpose rather than dedicated applications – Build using common toolsets. – Less variety in structure & design • Large scale integration of data sets • Computer to computer transactions • Autonomous trading systems 9SAC
  • 10. IS in context: Computing Environment • Growth in the power and availability of technology • Rapid spread of data communications networks • Development of powerful databases and search engines • High degree of component commonality 10SAC
  • 11. IS in context: Socio-economic-legal • Increasing computer fraud • Concerns about privacy • Greater public knowledge of computing • Rising globalisation of trade • Introduction of specific laws to control the use of IT • Public policy v personal preference? 11SAC
  • 12. The scope of this course: (Business) Computer and Information Systems The scope of this course: (Business) Computer and Information Systems • That is: we’re taking the viewpoint of an organisation and its management – Could be government, public sector or NGO • Issues around consumers or individual citizen rights are not central to what we cover • …nor is the role of ‘national security’ in setting the computer environment …though these are interesting and important in their own right 12SAC
  • 13. WHAT IS SECURITY 13SAC
  • 14. What is security? Mordac the preventer of information 14SAC © Dilbert.com
  • 15. What is security? “ If we make security trade-offs based on the feeling of security rather than the reality, we choose security that makes us feel more secure over security that actually makes us more secure. And that’s what governments, companies, family members, and everyone else provide. Of course, there are two ways to make people feel more secure. 1. The first is to make people actually more secure, and hope they notice. 2. The second is to make people feel more secure without making them actually more secure, and hope they don’t notice. The key here is whether we notice. The feeling and reality of security tend to converge when we take notice, and diverge when we don’t. People notice when 1) there are enough positive and negative examples to draw a conclusion, and 2) there isn’t too much emotion clouding the issue. The feeling and the reality of security Schneier 2008 “ If we make security trade-offs based on the feeling of security rather than the reality, we choose security that makes us feel more secure over security that actually makes us more secure. And that’s what governments, companies, family members, and everyone else provide. Of course, there are two ways to make people feel more secure. 1. The first is to make people actually more secure, and hope they notice. 2. The second is to make people feel more secure without making them actually more secure, and hope they don’t notice. The key here is whether we notice. The feeling and reality of security tend to converge when we take notice, and diverge when we don’t. People notice when 1) there are enough positive and negative examples to draw a conclusion, and 2) there isn’t too much emotion clouding the issue. The feeling and the reality of security Schneier 2008 15SAC
  • 16. 16SAC …Watch for Security theatre that iS…
  • 17. Security • Complex passwords are secure • Encryption protects assets Access • Complex passwords prevent access • Encryption slows things down 17SAC The security balance • Technology is not enough • Controls often conflict with usability and business objectives Risk
  • 18. The security balance 2 18SAC Effectiveness Level of technical security Too complex to work Optimum balance Too risky
  • 19. What is security? Information security as… • Security as an engineering discipline • Subject to systems thinkingScienceScience • When things get complicated, it gets to much to plan • The security manager is left to judge the best way(s) forward ArtArt • People interact with systems: users need to do things • Behavioural aspects of organisations and change management Social science Social science 19SAC
  • 20. What is security? Example of making a business secure Schneier’s three steps to improved security: 1. Enforce liabilities 2. Allow liabilities to be transferred 3. Outsource security “Network security is a business problem, and the only way to fix it is to concentrate on the business issues… I have a three-step program towards improving computer and network security. None of the steps has anything to do with the technology; they all have to do with businesses, economics, and people.” Liability & Security in Schneier (2008) “Network security is a business problem, and the only way to fix it is to concentrate on the business issues… I have a three-step program towards improving computer and network security. None of the steps has anything to do with the technology; they all have to do with businesses, economics, and people.” Liability & Security in Schneier (2008) 20SAC
  • 21. Security in business: Concept map Business model Raval & Fichadia 2007, Ch 1 Control & Security Manage- ment Structure Process Inform- ation Is comprised of Warrant actions for by 21SAC
  • 22. CORE TOPICS
  • 23. Information Security Attributes • Protecting privacyConfidentiality • Protection from accidental or deliberate (malicious) modificationIntegrity • …for legitimate users • Prevention of DoS attacks etcAvailability • who are you – supports non-deniabilityAuthentication • what can you do?Authorization • Effective auditing and logging is the key to non-repudiationAuditing 23SAC
  • 24. Business requirements in COBIT • Relevant and pertinent • Timely, correct, consistentEffectiveness • Productive and economicalEfficiency • No unauthorised disclosureConfidentiality • Protection from accidental or malicious modification • Accurate, complete, validIntegrity • …for legitimate users • Prevention of DoS attacks etcAvailability • Appropriate information to support management decisionsReliability 24SAC COBIT 4.1
  • 25. Secure Computing • A computing regime under which information may be stored and processed: – To defined standards of confidentiality, integrity and availability. – To an assessable level of assurance Security is not a commodity Security is a state of being! Security is not a commodity Security is a state of being! 26SAC
  • 26. RELATED TOPICS 27SAC
  • 27. Another theme GovernanceGovernance Risk Management Risk Management ComplianceCompliance 28SAC
  • 28. Governance frameworks • From the state: Legal – Privacy Laws – Property legislation – computers, IPR etc • Sources of law – National – European – USA • Standards – Security Criteria – Published Standards 29SAC
  • 29. Ethics • Computing poses a new environment for ethical consideration • Who decides the ethical aspects? – Computer Professionals – Leaders of Commerce & Industry – Computer Users – Citizens • What happens when different values collide? 30SAC
  • 30. Governance: Privacy • Holding of data relating to people • Aggregation of personal data – Data matching – Marketing of data – Universal Identifiers • Enforcement of fair practice • Need for a legal context – Local – Global • Interacts with individuals’ expression of their identity online 32SAC
  • 31. Governance: Fraud & Abuse • Corrupting information • Damage and disruption • Threats to the person • Theft of property and services • Financial crime 33SAC
  • 32. Managing threats and vulnerabilities ThreatThreat Potential event that can adversely affect an asset Potential event that can adversely affect an asset AttackAttack A successful attack exploits vulnerabilities in your system A successful attack exploits vulnerabilities in your system RiskRisk Likelihood and impact of that threat occurring Likelihood and impact of that threat occurring 35SAC
  • 33. Security management 36SAC Implemented throughImplemented through Practices Procedures Guidelines StandardsStandards Built on sound policy Carry the weight of policy PoliciesPolicies Sanctioned by senior management
  • 34. Incident response and business continuity Impact Analysis • Accept • Mitigate Impact Analysis • Accept • Mitigate Response planning • Detection • Reaction • Recovery Response planning • Detection • Reaction • Recovery Disaster recovery planning • Crisis management • Operations recovery Disaster recovery planning • Crisis management • Operations recovery Business continuity planning • Strategies • Planning • Management Business continuity planning • Strategies • Planning • Management 37SAC An extension of risk management Whitman & Mattord p212
  • 35. System design principles • Authorisation – Rule driven controls • Least Privilege – Need to Know principle • Separation of duty – No individuals in complete control • Redundancy – To allow graceful degradation 38SAC
  • 36. 39SAC Controls
  • 37. Controls • Control activities are: – actions, supported by policies and procedures that, • when carried out properly and in a timely manner, –manage or reduce risks. 40SAC
  • 38. Controls Prevent Controls • Preventive controls attempt to deter or prevent undesirable events from occurring. • They are proactive controls that help to prevent a loss. • Examples of preventive controls are separation of duties, proper authorization, adequate documentation, and physical control over assets. Detect Controls • Detective controls, on the other hand, attempt to detect undesirable acts. • They provide evidence that a loss has occurred but do not prevent a loss from occurring. • Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits. 41SAC
  • 39. Controls • Both types of controls are essential to an effective internal control system. • From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality. • However, detective controls play a critical role providing evidence that the preventive controls are functioning and preventing losses 42SAC
  • 40. Final thought 47SAC http://xkcd.com/936/