This document proposes an Information Security Governance Framework to help corporate executives better govern information security activities. The framework combines and relates existing information security schemes and provides a unified way for executives to direct, monitor, and evaluate security-related work. It is needed because most companies currently take a bottom-up approach to security that is not well-aligned with corporate governance. The proposed framework defines the key elements and interfaces of an Information Security Governance system to address issues and overcome difficulties in how companies govern security.
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
This is one of the presentations I have personally taken great quality time to prepare. It is a lecture class presentation on Chapter 7: IT Security and Risk Mitigation, part of the course BIT 1208: Information Technology for Financial Services under the Bachelor of Information Technology at Makerere University. The outline includes topics like Basic principles, Key concepts, Authenticity, Banking security standards, Risk of password sharing, Mitigation controls, Administrative, Logical, Physical, Security processes and management, Security governance, Incident response, Risk management and IT auditing, Business continuity, Disaster recovery planning, Professionalism and ethical standards, IT audit framework/ standardization, International certifications in IT security, International standards of IT security, and SBP IT Audit
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
This is one of the presentations I have personally taken great quality time to prepare. It is a lecture class presentation on Chapter 7: IT Security and Risk Mitigation, part of the course BIT 1208: Information Technology for Financial Services under the Bachelor of Information Technology at Makerere University. The outline includes topics like Basic principles, Key concepts, Authenticity, Banking security standards, Risk of password sharing, Mitigation controls, Administrative, Logical, Physical, Security processes and management, Security governance, Incident response, Risk management and IT auditing, Business continuity, Disaster recovery planning, Professionalism and ethical standards, IT audit framework/ standardization, International certifications in IT security, International standards of IT security, and SBP IT Audit
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
I approached this project with that in mind. This home lab walks through the process of configuring, optimizing, and securing an IT infrastructure. Although this will be at a relatively small scale, you will be able to apply the knowledge gained in a real-world large-scale/enterprise infrastructure.
In Cybersecurity, it could be a daunting task to apply and implement security concepts if there is an unavailability of practical and safe infrastructure to carry out these activities.
Defining an IT Auditor,
IT Auditor Certifications & ISACA,
IT Audit Phases,
Preparing to be Audited,
How IT auditor audits an Applications,
Auditing technology for Information System.
Business continuity and disaster recovery are not the same but complement each other. Planning on BCP and DRP is necessary for all business. This slide contains information on how to achieve and maintain them.
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
The webinar covers:
• An overview of Cybersecurity
• Explaining of Cybersecurity Relationship with other types of security
• Guidance for addressing common Cybersecurity issues.
• Convincing stakeholders to collaborate on resolving Cybersecurity issues.
Presenter:
This webinar was presented by PECB Partner and Trainer Mr. Fabrice DePaepe, who is Managing Director at Nitroxis Sprl and has more than 15 years of experience in IT and Information Security.
Link of the recorded session published on YouTube: https://youtu.be/fQUSQEoLsYc
Does Anyone Remember Enterprise Security Architecture?rbrockway
The concept of Enterprise Security Architecture (ESA) is not new (Gartner 2006), yet the numbers from the past several years’ worth of breach data indicates that most organizations continue to approach security on a project by project basis or from a compliance perspective. This talk will refresh the ESA concept and communicate tangible and realistic steps any organization can take to align their security processes, architecture and management to their business strategies, reduce business risks and significantly improve their overarching security posture.
A DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEMIAEME Publication
Recently, information security incidents such as personal information leakage have been regarded as serious risk factors that directly affect corporate sales reduction and corporate image loss. In order to manage information security systematically, enterprises have been introducing information security systems more than ever before. This study aims to derive major items of the information security system mainly for corporate organizational management, with a focus on the technology-organizationenvironment (TOE) framework, and suggests a direction for system build-up and management. To this end, the Analytic Hierarchy Process (AHP) was conducted on 20 items derived from previous studies. A survey was conducted among 24 individuals, including 12 corporate internal administrators and 12 corporate external consultants. As a result, it turned out that environmental factors affected the information security system more significantly among technical, organizational, and environmental factors. Notably, 'compliance with legal requirements,' 'protection of information subjects' rights,' and 'increase of the information security awareness' affected the operation of the information security system or related decision-making processes. This finding suggests that although technical and organizational management is also essential when it comes to corporate information security system operation, the system needs to respond swiftly to rapid market changes and legal and administrative changes concerning information security.
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
Basics in IT Audit and Application Control Testing Dinesh O Bareja
IT Audit and Application Control Testing are large and complex activities in themselves, and it is my presentation to share the basics here, based on my own experience and using guidance from IIA GTAGs.
I approached this project with that in mind. This home lab walks through the process of configuring, optimizing, and securing an IT infrastructure. Although this will be at a relatively small scale, you will be able to apply the knowledge gained in a real-world large-scale/enterprise infrastructure.
In Cybersecurity, it could be a daunting task to apply and implement security concepts if there is an unavailability of practical and safe infrastructure to carry out these activities.
Defining an IT Auditor,
IT Auditor Certifications & ISACA,
IT Audit Phases,
Preparing to be Audited,
How IT auditor audits an Applications,
Auditing technology for Information System.
Business continuity and disaster recovery are not the same but complement each other. Planning on BCP and DRP is necessary for all business. This slide contains information on how to achieve and maintain them.
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB
The webinar covers:
• An overview of Cybersecurity
• Explaining of Cybersecurity Relationship with other types of security
• Guidance for addressing common Cybersecurity issues.
• Convincing stakeholders to collaborate on resolving Cybersecurity issues.
Presenter:
This webinar was presented by PECB Partner and Trainer Mr. Fabrice DePaepe, who is Managing Director at Nitroxis Sprl and has more than 15 years of experience in IT and Information Security.
Link of the recorded session published on YouTube: https://youtu.be/fQUSQEoLsYc
Does Anyone Remember Enterprise Security Architecture?rbrockway
The concept of Enterprise Security Architecture (ESA) is not new (Gartner 2006), yet the numbers from the past several years’ worth of breach data indicates that most organizations continue to approach security on a project by project basis or from a compliance perspective. This talk will refresh the ESA concept and communicate tangible and realistic steps any organization can take to align their security processes, architecture and management to their business strategies, reduce business risks and significantly improve their overarching security posture.
A DECISION-MAKING MODEL FOR REINFORCING A CORPORATE INFORMATION SECURITY SYSTEMIAEME Publication
Recently, information security incidents such as personal information leakage have been regarded as serious risk factors that directly affect corporate sales reduction and corporate image loss. In order to manage information security systematically, enterprises have been introducing information security systems more than ever before. This study aims to derive major items of the information security system mainly for corporate organizational management, with a focus on the technology-organizationenvironment (TOE) framework, and suggests a direction for system build-up and management. To this end, the Analytic Hierarchy Process (AHP) was conducted on 20 items derived from previous studies. A survey was conducted among 24 individuals, including 12 corporate internal administrators and 12 corporate external consultants. As a result, it turned out that environmental factors affected the information security system more significantly among technical, organizational, and environmental factors. Notably, 'compliance with legal requirements,' 'protection of information subjects' rights,' and 'increase of the information security awareness' affected the operation of the information security system or related decision-making processes. This finding suggests that although technical and organizational management is also essential when it comes to corporate information security system operation, the system needs to respond swiftly to rapid market changes and legal and administrative changes concerning information security.
Securing Cloud Computing Through IT GovernanceITIIIndustries
Lack of alignment between information technology (IT) and the business is a problem facing many organizations. Most organizations, today, fundamentally depend on IT. When IT and the business are aligned in an organization, IT delivers what the business needs and the business is able to deliver what the market needs. IT has become a strategic function for most organizations, and it is imperative that IT and business are aligned. IT governance is one of the most powerful ways to achieve IT to business alignment. Furthermore, as the use of cloud computing for delivering IT functions becomes pervasive, organizations using cloud computing must effectively apply IT governance to it. While cloud computing presents tremendous
opportunities, it comes with risks as well. Information security
is one of the top risks in cloud computing. Thus, IT governance must be applied to cloud computing information security to help manage the risks associated with cloud computing information security. This study advances knowledge by extending IT governance to cloud computing and information security governance.
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...ijcsit
Information security against hacking, altering, corrupting, and divulging data is vital and inevitable and it requires an effective management in every organization. Some of the upcoming challenges can be the study
of available frameworks in Enterprise Information Security Architecture (EISA) as well as criteria
extraction in this field. In this study a method has been adopted in order to extract and categorize
important and effective criteria in the field of information security by studying the major dimensions of
EISA including standards, policies and procedures, organization infrastructure, user awareness and
training, security base lines, risk assessment and compliance. Gartner's framework has been applied as a
fundamental model to categorize the criteria. To assess the proposed model, a questionnaire was prepared
and a group of EISA professionals completed it. The Fuzzy TOPSIS was used to quantify the data and prioritize criteria. It could be concluded that the database and database security criteria, inner software security, electronic exchange security and supervising malicious software can be high priorities.
NON-PROFIT ORGANIZATIONS’ NEED TO ADDRESS SECURITY FOR EFFECTIVE GOVERNMENT C...IJNSA Journal
The need for information security within small to mid-size companies is increasing. The risks of information security breach, data loss, and disaster are growing. The impact of IT outages and issues on the company are unacceptable to any size business and their clients. There are many ways to address the security for IT departments. The need to address risks of attacks as well as disasters is important to the IT security policies and procedures. The IT departments of small to medium companies have to address these security concerns within their budgets and other limited resources.Security planning, design, and employee training that is needed requires input and agreement from all levels of the company and management. This paper will discuss security needs and methods to implement them into a corporate infrastructure.
Case Study on Effective IS Governance within a Department of Defense Organiza...Chris Furton
This case study develops influencing factor that should be considered when developing an effective information security governance program with a Department of Defense weapons system test and evaluation organization. The influencing factors are then incorporated into an existing governance framework developed by A. Da Veiga and J. H. P. Eloff (2007). The result is a unique framework tailored to the organization which can be used as the foundation to building a holistic information security program.
Attacks on the enterprise are getting increasingly sophisticated. Current solutions available do not seem to be adequate given the innovativeness, precision and persistence of these attacks in different forms and of different dimensions. Organisations thus want to increase the sophistication of their employees and also of the solutions to be deployed given this backdrop.
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
Discussion 1
Recommend three countermeasures that could enhance the information security measures of an enterprise. Justify your recommendations.
1. Upon extensive review of existing IT EBK and what new measures needed to be taken, Homeland Security came to the conclusion that a comprehensive approach information security including the steps of manage, design, implement, and evaluate would best serve to safeguard against future threats. Manage: calls for the oversight of security programs to come from the highest levels of chains of command with constant focus on “ensuring its currency with changing risk and threat” (2007, p. 9). Design: calls for analyzing a program to assess what types of “procedures and processes” will best direct its successful execution. Implement: refers to how programs and policies are instituted within the company. Evaluate: this final step calls for a final critique of the new program or policy’s successful ability to [achieve] its purpose (2007, p. 9).
2. Homeland Security also recommended a “Competency and Functional Framework for IT Workplace Development” that placed strong emphasis on a clear chain of command and communication with clear job titles and IT employee roles being placed into a group of Executive, Functional or Corollary employees (2007, p. 17).
3. The report stressed the primary role of “the IT Security Compliance Professional is . . . overseeing, evaluating, and supporting compliance issues pertinent to the organization” (Homeland Security, 2007, p.16). Thus, the report logically concluded that IT professionals must know and be able to properly define terms such as evaluation, compliance and assessment in order to properly perform their duties (p. 14).
Propose three cybersecurity benefits that could be derived from the development of a strategic governance process. Select the benefit you find most important and explain why.
The National Computing Centre points out that there are numerous benefits to having a rigorous strategic governance process in place. Among them, increased transparency and accountability which leads to an “improved transparency of IT costs, IT process, [and] IT portfolio (2005, p. 6). This increased transparency and accountability also leads to an “improved understanding of overall IT costs and their input to ROI cases” which in turn often brings about “an increased return on investment/stakeholder value” (p. 6). Finally, the authors point to the fact that with increased transparency comes increased accountability and companies avoid “unnecessary expenditures” (p. 7).
Discussion 2
Categorize the roles described by the Information Technology Security Essential Body of Knowledge (EBK), in terms of executive, functional, and corollary competencies. Select two of these roles that you believe enhance the security countermeasures of an organization the most and justify your response.
As mentioned previously, Homeland Security’s 2007 report emphasized the importance of properly .
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest
risk to their business. This global study of Enterprise-class organizations highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012 and beyond.
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxhealdkathaleen
Running Head: CYBERSECURITY FRAMEWORK 1
CYBERSECURITY FRAMEWORK 5
Integrating NIST CSF with IT Governance Frameworks
Nkengazong Tung
University of Maryland University College
29 AUGUST 2019
IT governance is the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. In the eCommerce industry, IT governance develop structure by characterizing hierarchical detailing lines, oversight advisory groups, standards, approaches, and procedures. A well-characterized structure viably sets the working limits for the association (Moeller, 2017). It additionally sets guidelines by making or lining up with the corporate procedure and characterizing the short and long haul objectives for the association. In the eCommerce industry, it is important to note how the regulations are followed, how standards are followed by the process managers, how planning for the capacity of servers should be done, ensure all the IT assets are tracked, etc. This internal function that is self-checking the “health status” of the various process to ensure the smoother function is Governance. Comment by Michael Baker: Recommend subtitles that match rubric
IT management is overseeing IT services or innovation in an organization. It has several elements, all of which focus on aligning IT goals with business objectives in a way that creates the most value of an organization. These components are IT strategy, IT service and IT asset. Some of IT management issues faced by an eCommerce company include ways to secure customers information, providing value to the company, as well as supporting business operations. To address IT management challenges faced in eCommerce, IT policies must be put in place to define various processes within the organization. A policy is a set of guidelines that define how things are done within an organization. With a well-defined policy, activities in the eCommerce industry are well outlined and making it easy to operate.
Risk Management is the process used to identify, evaluate and respond to possible accidental losses in situations where the only possible outcomes are losses or no change in the status. It is an overall administration function that tries to evaluate and address the circumstances and end results of vulnerability and threat to an association (Susmann & Braman, 2016). The aim of threat management is to empower an association to advance towards its objectives and goals in the most immediate, proficient, and viable way. Risk management issues faced by an eCommerce company are loss of data, unauthorized access of data as well as system failure. To address risk management in the eCommerce industry, a comprehensive risk management plan must be developed to address possible risks that might cause harm to the system. A good risk management plan provides procedures as well as guideline on how to respond to threats and also unforeseen incidents. By having a well-laid plan, the ...
Artificial Intelligence - intersection with compliance. How AI principles work with compliance principles around data protection. AI and Compliance. AI - SYSC 13.7 - FCA Compliance. AI and regulation. AI and FCA regulation. AI and ICO regulation.
The Significance of IT Security Management & Risk AssessmentBradley Susser
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organization’s financial impact due to the exploitation of numerous organizational assets.
Similar to Information security governance framework (20)
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Accelerate your Kubernetes clusters with Varnish Caching
Information security governance framework
1. Information Security Governance Framework
Eijiroh Ohki
Professor
Faculty of Informatics
Kogakuin University
eohki@cc.kogakuin.ac.jp
Yonosuke Harada
Executive Research Director
InfoCom Research, Inc.
and Professor
Osaka University
harada@icr.co.jp
Shuji Kawaguchi
Senior Project Manager
Information Security Research Group
Mitsubishi Research Institute, Inc.
kawaguti@mri.co.jp
Tetsuo Shiozaki
General Manager,
Information Security Center, Security Solutions Unit,
Fujitsu Limited
shiozaki@jp.fujitsu.com
Tetsuyuki Kagaua
Associate Professor
Graduate School of Commerce and Management,
Hitotsubashi University
cc00591@srv.cc.hit-u.ac.jp
ABSTRACT
Many companies, especially Japanese companies, have
implemented information security with bottom up approach, starting
from implementing piece by piece security controls. As increase the
number of information security incidents and spread its impact,
companies have implemented many measures in the wide spectrum,
from technical counter measure systems (firewalls to protect internal
network) to security management.
Japanese government has introduced compliance schemes for
protecting privacy data and computers from illegal access. In
addition, Ministry of Economics, Trade and Industry (METI)
proposed private companies to enhance information security
governance capabilities with the tools such as “Information Security
Report Model” (here after IS for ‘Information Security’), “IS
Management Benchmarking” and “Business Continuity Planning
Guide (BCP)”.[6]
IS Management System (ISMS) certification, IS
Auditing and IS Rating scheme are also introduced to assure the
implementation of security.
Then, there are so many measures existing separately. Corporate
Executives (CEO and board of directors including CIO, CRO, and
CISO etc.) have come to know the amount of investment for
security measures is too large to pay.
This paper propose Information Security Governance (here in
after, ISG) Framework which combines and inter-relates many
existing information security schemes. With this ISG framework,
Corporate Executives can direct, monitor, and evaluate IS related
activities in a unified manner. [1]
Categories and Subject Descriptors
K.6.4 System Management: Information Systems Management
System and its Governance, K.6.1 Project and People Management :
Board of Directors and Executives responsibility and accountability,
K.6.5 Security and Protection:
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise,
or republish, to post on servers or to redistribute to lists, requires prior
specific permission and/or a fee.
WISG’09, November 13, 2009, Chicago, Illinois, USA.
Copyright 2009 ACM 978-1-60558-787-5/09/11...$10.00.
General Terms
Management, Measurement, Security, Standardization
Keywords
Governance standards, formal governance models, formal audit
models, governance architecture and implementation, risk
management
1. Introduction
Rapid increase of computer and internet utilization in these two
decades brought the Information Society. Companies and
organizations have been eagerly utilizing computers and internet
for business. At same time, misuse of computers and illegal
conducts are increasing with the growth of computerization. IT
ability has become to store several gigabytes of data in a finger
size USB stick which can store more than million privacy data.
Once such data has been exposed, many people will be suffered
with spam mail, direct sales telephone and so on. Nowadays, we
have seen Corporate Executives of the company are apologizing
to the victims once the company exposed their information.
Information security incidents often influence to the corporate
processes and operations directly. For example, if company
develop and operate global value chain, they have to share
information assets broadly with their business partners. Definitely,
they need a secure system to share information assets to build and
maintain their competitiveness. We should understand that
information assets management should be a major element of
business strategy, and information security measures are directly
connected with the corporate value.
In addition, our business activities deeply depend on IT
infrastructure. Therefore, any IT accident (for example, business
process interruption by system trouble, or the leakage of
confidential data of the partners) may cause a great loss to the
company. There is a research that the news of IT accidents
significantly reduced the company's market value. [4]
On the other hand, disclosing IS related risk information is
expected to suppress negative reaction in the stock market. There
is a research to compare one company that disclosed its IT risk
through its financial statements with the other one that didn't
disclose it. The research indicated that both stock prices reduced
1
2. right after the IT accident, but the stock price of the company,
who disclosed the risks in advance, returned to the original level
after several days, while the other remained low for a long time.
[5]
It is important for Corporate Executives to take this situation
into consideration, and to review risk management processes from
the viewpoints of the information security. But most executive
regards the corporate information security measures as the
administrators' matter. Most of the companies have implemented
measures for Information Security with bottom-up approaches.
The systematic measures like ISMS are spreading, but the
executives sometimes don't have awareness of risks and measures
that should be shared with administrators and employees. In this
situation, it is difficult for the executives to carry out its
accountability on information security risk.
In Japan, a study group, sponsored by METI, had started efforts
to develop the concept of ISG. In 2005, the group made a model
of “Information Security Report”[6]
, a tool for a corporate to
explain its information security policy and related activities to
stakeholders, like a model of Corporate Social Responsibility
report (CSR report). METI has recommended this model to the
companies. Some companies published their Information Security
Reports. According to the brand assessment in an industry that
handles security products, the percentage of user companies who
positively evaluate firms that disclose a report on information
security has increased significantly since 2006.[?]
The study group also designed a concept of “Information
Security Management Benchmark” [8]
to provide reference data
for enterprises to make sound decisions on measures and
investment of information security. The ISM-Benchmark is a self-
assessment tool to visually check where the level of the
company's security measures resides, by responding questions
about company profile and 25 items of security measures. The
number of accumulated records exceeded 17,000.
In addition, METI made a guideline for Information Security
Audit, in 2003. [7] [9]
There are more than 10,000 companies and
organizations during a year that use Information Security Audit.
In this paper, we propose new ISG framework for Corporate
Executives to overcome difficulties around ISM, and make clear
the relationships among ISG and related tools and programs.
2. Requirement for ISG
As we discussed our background in previous section, in most
cases corporate information security programs had started from
bottom to up. Started from the workplace, from piece by piece
security control mainly focusing on technical solution necessary
to protect departmental information assets, based on workplace
risk assessment conducted by department staffs. Later, most
organizations became to understand that there should be effective
management mechanism in place to coordinate these controls to
get more sophisticated outcomes.
Gradually, most organizations became aware of the fact that
these sets of bottom-up security programs might not be able to
solve the difficulties and issues surrounding information security.
Even if they have management mechanism to coordinate these
controls, they will not be effective enough without clear
alignment and interconnection between the management
mechanisms and corporate governance mechanism.
In addition to these management mechanism, ISG, Information
Security Governance, has become recognized to be a key portion
of corporate security program, requested as a part of corporate
governance framework.
The word “ISG” has become familiar these days, but almost
nobody clearly knows the functions of ISG and differences
between ISG and ISM yet. Most difficulties and issues remain
unchanged.
From the Systems engineering perspective, ISG is, of course, a
system composed of several elements; each element has
interrelationships with other constituent elements, and pursues
common objectives as a whole. Difficulties and issues, we face to
govern Corporate Information Security, are suggesting that we
may be missing any key element of ISG, or missing key interfaces
between elements of ISG.
To recover these missing element and interfaces, and to make
governance system more effective, we would better have ISG
framework, an overall picture of ISG, in which all critical
elements explicitly defined with functions of each element, and
interfaces among elements. The framework is a kind of theoretical
model that clearly show the structures and mechanism how ISG
works, and Corporate Executives can understand how they can
map these functions and interfaces to their actual organizations.
It can be easily understood that IGS framework and its function
model must satisfy following three key requirements.
Requirement #1: ISG framework and function model should be
consistently constructed with other corporate risk governance
framework so that executives can make decisions easily and
effectively, since information security is one of the major
corporate risk areas, and management of information security risk
also should be a part of corporate risk management framework.
Requirement #2: At same time, ISG function model also need
to be capable to handle unique characteristics of information
security risk which are essentially different from other risk
categories. Mainly these essential characteristics come from the
differences between BIT and ATOM. BITs can be easily copied,
transmitted and shared around the globe instantly. Information
sharing with specific business partners may bring huge business
advantage, but at same time, single security incident may lead to
total business failure. IGS functional model needs to be capable to
govern risks in such fierce circumstance.
Requirement #3: ISG functional model should be able to
include existing information security management and control
mechanism, such as ISMS, and be able to have effective interface
with the elements of these existing mechanism.
3. Reference model for ISG
3.1 Relation between Corporate Governance,
IT Governance and ISG
Corporate governance includes all aspect of governance to deal
with every risk. Similar to the fact that corporate executives are
responsible for the corporate governance, they are also
responsible for both ITG and ISG. The relation between ISG and
ITG is not clearly defined, although information security is one of
big topics in ITG. ISG includes not only IT security but also
physical security and paper security. Thus the relation with ISG
and ITG is shown in Figure 3.1. [1], [3]
2
3. One example of the intersection of ITG and ISG in Figure 3.1
(IT security element) is that a computer access control system
which identifies the accessed personnel by ID and password and
permits him to access to protected data according to his assigned
privilege. Most of automated security controls belong to this
category.
The other examples of non-IT of ISG in Figure 3.1 are paper
security and physical security. Paper may be printed out by use of
IT. However, paper is still used for hand written evidence for a
contract, an approval of purchase, and an entry form into a
secured server room. Those papers are stored safely and protected.
A rule for paper handling is within the responsibility of
executives. Physical security is another example of non-IT where
only restricted personnel can enter into the secured area.
Executives may ask to implement IT to restrict access to the room
with IC card and automated door.
IT security
element
IT Non-IT
IT governance
Information security
governance
Corporate governance
Information security
element
Non-information
security element
Figure 3.1 Relation between ISG and ITG
3.2 Configuration of the ISG framework
ITG framework has been discussed in ISO/IEC 38500:2008. As
we have stated that ISG has common integral part with ITG, ISG
should be aligned with ISO/IEC 38500:2008[10]
. We propose a
new extended model for the ISG framework in Figure 3.2 based
on three requirements stated in chapter 2.
The new model consists of five components, three common
parts with ISO/IEC38500; “Direct” for guiding managements
from the viewpoints of business strategies and risk management,
“Monitor” for ensuring the governance activities visible with
measurable indicators, “Evaluate” for assessing and verifying the
results/outcomes. We extended with two new components for
Information security aspect; “Oversee” for observing and auditing
governance processes, and “Report” for disclosing the report to
the stakeholders (see Figure 3.2).
As shown in Figure 3.2, the framework includes the governing
cycle starting from “Direct,” “Monitor,” and “Evaluate” Information
Security Management (here in after ISM) process. Because ISO/IEC
27001:2005[11]
requires “commitment to the establishment,
implementation, operation, monitoring, review, maintenance and
improvement of the ISMS”, the ISG framework should incorporate
with this requirement.
Report
InformationSecurity Management
Direct
Corporate
Executives
Monitor
Evaluate
Enterprise
Managers
Oversee
Auditors
Stakeholders
Frameworkofinformation
security governance
Management commitment
Progress and achievement state of PDCA
Figure 3.2: PROPOSED FRAMEWORK OF
INFORMATION SECURITY GOVERNANCE
Note that the stakeholders may select the company as a business
partner or an investment target while taking its ISG activities into
consideration, but stakeholders is not included in the framework
model because they are not controllable.
3.3 “Direct” in the ISG framework
Information security incident response requires quick decision and
action to reduce dames or losses on information asset. “Direct” in
the ISG framework ensures good interaction between executives
and the management to implement good ISM, communication and
preparedness against potential risks. Implementation of “Direct” for
ISG is different from that of ITG, because executives should have
certain role and responsibility on ISM project. If executives think
their role is just order the management, real-time response to
information security incidents may not possible. For ISG, executives
should understand and take combination of actions to ease the
situation. It looks similar to corporate portfolio management.
“Direct” in the ISG also includes defining the scope of the ISM,
formulating a risk analysis, and allocating necessary resources.
Enacting “Security policy” for ISM is the responsibility of
executives.
3.4 “Monitor” in the ISG framework
“Monitor” of ISG includes two functions. First function is to
oversee the status of the ISMS PDCA cycle which is comparable to
that of ITG. Management should check the potential risk and assess
preparedness and counter measures put in place. If once the
allowance exceeds the limit set by executives, they should report to
the executives. Sometimes this function is automated and display to
“Dash Board” designed for executives.
Second function is to surveillance of potential Information
Security incident and accident. Real time “Monitor” is crucial to the
security and is not necessary to ITG.
3.5 “Evaluate” in the ISG framework
For “Evaluate” process, executives analyze and measure the
degree of achieving the goals from management data collected in
the “Monitor” process, and take corrective action if necessary.
Major difference from ITG, ISG requires real time decision to
minimize loss, error, or damage caused by security incidents. For
example, in case of SQL injection attack and followed modification
3
4. on corporate e-commerce web site, immediate action should be
taken by the management and its impact should be reported
immediately to the executives. Depending on the damage or impact
to corporate business, executives should evaluate it quickly and take
necessary actions on real time. Because of the nature of attacks
against the internet site, it is not possible to forecast when and how.
The early and appropriate response of executives is the key to ease
the tension.
“Evaluate” will activate “Report” to stakeholder to understand
corporate security in Figure 3.2. Nowadays, many stakeholders have
strong interest in corporate security, because his stock price may be
devaluated by security incident. He would ask the company to
disclose the status of information security preparedness.
3.6 “Report” in the ISG framework
“Report” is also proposed to incorporate into the ITG framework
because stakeholders require the transparency and accountability of
Information Security. Similar to the CSR report which is used to
ensure the corporate contributing society, ISG "Report" ensures the
implemented security measures in corporate.
In the past, the occurrence of an accident or incident relating to
information security is rather small and its impact to the society is
not serious, and even such companies were not accused from the
society. However, in recent years, a privacy information exposure or
a service interruption due to system failure happened more
frequently. Stakeholders recognize that those companies have
higher risk and regard them not to trust on their business relations
unless they disclose their security problems and improvement. Thus
it is necessary to disclose activities for information security from an
"accountability" point of view so as to avoid negative hearsay and to
trust from the external stakeholders.
There are two purposes for company to disclose activities for
information security to external stakeholders. The first one is to
announce that the company fulfills its social responsibility by
reporting practical information security activities, with security
incidents if any.
The second purpose is to report activities for information security
from the viewpoint of rising corporate value. These activities can
increase the confidence of the partners and customers, resulting in
constructing a long and stable relationship with the partners as well
as in royalties from the customers. Moreover, if they implement the
strategic management on information assets, then the company's
cash flow may be increasing or stable in the future. As confidential
information including technology and know-how, customer privacy
data, and information networks configurations are strategically most
important, protecting and controlling them is being regarded as an
important business objective. As far as the corporations make no
disclosure, they rarely receive a high rating from the investors and
never obtain a resulting economic effect.
Both purposes are not always exclusive to each other. Disclosing
the security related activities is very important because it has a side
effect on raising information security awareness to employee.
Reporting to the outside “Disclosure” can be regarded as a
“promise” the company gives to the society. This is because
disclosing the activities makes it possible for every employee to be
aware that the "promise" to external stakeholders is important.
Information security disclosure does not mean to disclose
information security vulnerability. This is because if the company
disclose their vulnerability on their firewalls, company web site may
be attacked and increase risk. Companies are not required to open
their weakness to customers, partners, and outsourcers.
In the case of the disclosure from an "accountability" point of
view, it is important to provide content that allow the receivers to
check whether the information security activities are carried out as
explained. The important thing is that what information security
policy is developed, in what sort of information security process are
put in place, and what system ensures the effectiveness is all
observable. Then, disclosing item should include (1) information
security policy, (2) risk evaluation, (3) risk measures and response,
and (4) management system.
In the case of the disclosure from a "value creation" point of view,
the important thing is what kind of economic effect it produces. The
economic effect includes how much cost the information security
activities reduce through making an inventory of information assets,
the extent to which they increase the brand value as well as the trust
of the customers and partners, what economic value protected
information assets have, and how much the implementation of the
activities reduces the risk of damaging the information assets. If
those efforts are visible and accountable, investors can estimate the
corporate value highly and the stock market may give a high price
to the corporate.
According to the corporate brand assessment in an industry that
handles products relating to information security, the percentage of
user companies who positively evaluate other firms that disclose a
report on information security has increased significantly since
2006.[6]
Moreover, the former tended to give importance to the
evaluation of information security activities when selecting a partner.
Similarly, higher the company's attitude to information security
activities is, higher the user company's satisfaction is.
Table 3.1 is the example form of Information Security Report
from the trial conducted by METI in 2005. [6]
Table 1: Example of Information Security Report
(1)Basic Information
Includes the purpose of issue of the report, cautions relating
to usage, target periods and responsible departments.
(2)Concept of Management regarding Information Security
Includes policy regarding information-security
undertakings, target scope, ranking of stakeholders in the
report and messages to stakeholders.
(3)Information Security Governance
Information security management system (e.g. placement of
responsibility, organizational structure and compliance),
risks relating to information security and information
security strategy.
(4)Information Security Measures Planning and Goals
Includes action plan and target values
(5)Results and Evaluation of Information Security Measures
Includes results, evaluation, information security quality
improvement activities, management of overseas bases,
outsourcing, social contribution activities relating to
information security and accident reports.
4
5. (6)Principle Focal Themes relating to Information Security
Includes internal controls and protection of personal
information, undertakings to be particularly emphasized
such as Business Continuity Plans, introduction to themes
and newly devised points
(7)Third-party Approval, Accreditation, etc. (if acquired)
Includes ISMS compliance evaluation system, information
security audits, privacy mark systems, number of persons
with information security qualifications, classification and
ranking.
3.7 “Oversee” in the ISG framework
“Oversee” is a kind of auditing function to check and validate
Corporate Executives’ IS related activities. It is very important for
every organization to check its sound operation from third party
viewpoint. ISG framework will make Corporate Auditors,
independent from corporate executives, feel easier to conduct IS
related auditing with clearly defined functions which executives
expected to perform.
4. Conclusion
New ISG model, consists of DIRECT, MONITOR, EVALUATE,
OVERSEE and REPORT, occupies key position in the total ISG
system, and cover the missing functions of corporate IS initiative.
Now we can clearly see the whole picture of ISG, Information
Security Governance system, including existing approaches,
efforts and tasks. Five key functions are clearly defined, and
relationships with existing approaches are specified.
Since every function has been clearly specified, it is easy for
most corporations to check their existing functions and tasks
against new ISG model, and find missing element or interface if
any. It is also useful for most corporations to define their
functions and interfaces of their own ISG, depending on the
physical organizational structure and role and responsibility
sharing, referring this New ISG Model.
It is obvious that new ISG framework and function model
satisfies three key requirements discussed in section 2. ISG
framework has similar functional architecture with ITG, and
relevant to be consistent with other risk management framework.
Each element has designed functionalities to deal with unique
characteristics of information security related risks, and identical
interfaces with the elements of existing ISM mechanisms.
We strongly recommend that this New ISG Model is almost
indispensable for every corporation and organization to coop with
quickly changing world in Information Society. Information
Related Risk is one of the corporations’ key risk areas to be
governed and managed under the sophisticated mechanism.
Remaining studies should be focused on the relationships with
other information security models such as risk metrics, control
activity monitoring and evaluation methodologies.
It is also required to have clearly defined relationships among
existing security related programs, such as ISM benchmarking,
Assurance type IS Audit, ISMS certification scheme, and ISG
framework. We have already started to sort out relationships
among related programs in Japan.
5. Acknowledgements
Authors acknowledge to METI and following committee
members and who contributed to a publication in Japan (“ISG
guidance” [2]
, 2009).
- Satoru YAMASAKI, PMO, CISO Office, IBM Japan
- Mitsuhiko MARUYAMA, Partner, Deloitte Tohmatsu
Risk Services Co., Ltd.
Authors also acknowledge to Dr. Ikuo MISUMI, Director, Office
of IT security policy, METI, and anonymous contributors who
support for developing the guidance.
6. References
[1] Ministry of Economics, Trade and Industry (METI),
Guidance to Introducing Information Security Governance,
1st
July, 2009 (in Japanese)
[2] ISACA/ITGI, Information Security Governance Guidance
for Boards of Directors and Executive Management 2nd
Edition, Mar. 2006
[3] E. Ohki, Framework of Information Security Governance,
Japan Society of Security Management 23rd
Annual
conference, 2009 (in Japanese)
[4] K. Ito, T. Kagaya, Kim.K, "Information security governance
to enhance corporate value", Hitotsubashi University Center
for Japanese Business Studies / Working Paper No.91, Jan
2009
[5] Kim,H., "The Effects of Prior Risk Information Disclosure
on Investors' Decision-Making: Using Cases of Revealed
Information Leak Risks.", Hitotsubashi Review of
Commerce and Management vol.2, No.2, Nov 2007
[6] METI, Report of Research Group on Corporate Information
Security Governance (Overview), 2005
(http://www.meti.go.jp/english/information/data/IT-
policy/pdf/report_of_information_security.pdf)
[7] METI, Information Security Auditing Guideline Version 2,
2008 (In Japanese)
[8] Information-technology Promotion Agency, Information
Security Management Benchmark (ISM-Benchmark),
(http://www.ipa.go.jp/security/english/benchmark_system.ht
ml), 2006
[9] Japan information Security Audit association
(JASA)(http://www.jasa.jp/) (In Japanese)
[10] ISO/IEC, ISO/IEC38500:2008, Corporate governance of
information technology, 2008
[11] ISO/IEC, ISO/IEC27001:2005, Information technology -
Security techniques - Information security management
systems - Requirements, 2005
5