Uploaded byssuser45a8a6
PPT, PDF13 views

zSecurity_L9_Standards and Policies.ppt

This document discusses standards and policies for information security. It describes governance and compliance requirements that businesses must follow, such as regulatory acts like Sarbanes-Oxley. Standards help create uniform guidelines and certifications for information security programs, technical personnel, systems, and processes. Common criteria, frameworks like COSO and COBIT, and certifications like CISSP help evaluate security controls and share best practices.

Embed presentation

Download to read offline
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies
© 2006 IBM Corporation Objectives  Describe governance, compliance and legal requirements that the business community operates under today  Understand the need for information security guidelines  Understand what system certification and evaluation are and why they are necessary  Explain regulatory acts and their benefits to corporations  Identify the components of an information security program
© 2006 IBM Corporation Key Terms  Compliance  Governance Requirements  Policy  CIPP  CISO  GIAC, CISSP, and SSCP  Sarbanes-Oxley  COSO Framework  CoBIT
© 2006 IBM Corporation Introduction  Implementing security on a system requires a plan.  Creating a plan requires guidelines.  Governments and standards bodies develop laws and guidelines which direct security policies.  Standards and guidelines bring ‘best practices’ to the IT industry.  Standards and guidelines put all IT shops on an even playing field when it comes to auditing and evaluations.
© 2006 IBM Corporation Governance, compliance and legal requirements  Government and professional bodies impose strict control requirements through legislation or certification requirements  Organizations integrate these regulatory controls into their business practices.  It is easier to establish uniform standards and monitor their compliance rather than inspect each company to ensure that it is protecting customer identities and is of the utmost integrity, although governments may check.  Governments and standards boards impose standards or controls only to protect the viability of the corporate environment, consumer privacy and confidence.  The CEO and CISO have to be familiar with the legal requirements and ensure that their organization follows all the laws and implements the procedures necessary.
© 2006 IBM Corporation Regulatory acts  There are two major categories of US laws regulating an organization and its IT operation. The first group covers core business security regulations, such as: –Basel II, Solvency II, IAS/IFRS, and HIPAA.  The second group includes the regulation of specific business processes related to IT security, such as: –FISMA, CobIT, British Standard 7799 (ISO 17799), Sarbanes- Oxley Act (US), and Homeland Security Act.  Although most of these acts are originated in the U.S., they already have been or will be adopted in other countries, especially in the European Union.  They apply to all companies acting in the U.S. or being registered at stock exchanges.
© 2006 IBM Corporation Information security guidelines  Essential to managing our information business assets is the creation of the information security program.  Organizations create Critical Infrastructure Protection Programs (CIPP) to protect business-critical infrastructure.  Organizations, mostly in the public sector, have always had such security and control programs and processes with varying degrees of coherence and corresponding effectiveness.
© 2006 IBM Corporation Information security programs  The Executive Information Security Policy, a component of the ISP, defines the scope of the policy and describes the need to protect information infrastructure in general.  Management needs to draft a document defining the program for:  the protection of information infrastructure and assets  the compliance with regulatory requirements  the creation of service level agreements with security included with partners  the creation of Service Level Requirements (SLR) of business unit communications  the creation of the office of the Chief Information Security Officer (CISO) to oversee the program  the update and change of the Corporate Information Security Policy documentation, that includes assigning of specific responsibilities so everyone knows what they are supposed to do and what is expected of them.
© 2006 IBM Corporation System certification and evaluation  Certification involves assessment that all the prescribed measures and controls are in place and that qualified people have technical responsibility for maintaining them.  It is performed independently from the staff who maintain the system.  Certification can be divided into three main areas –Certification for technical personnel –Certification for systems –Certification for processes
© 2006 IBM Corporation Certification for technical personnel  Global Information Assurance Certification (GIAC) –SysAdmin, Audit, Network, Security (SANS) Institute founded GIAC (Global Information Assurance Certification) in 1999 to develop a technical certification standard for security professionals. •See the organizational Web site at: http://www.giac.org/  Certified Information Systems Security Professional (CISSP) –Tests competence in the 10 domains or subject areas and in relevant work experience in the security field. –CISSPs are most often CISOs or senior level information security managers with policy or senior management responsibilities. –See the Web site at: http://www.isc2.org  Systems Security Certified Practitioner (SSCP) –targeted towards the information security technologists that are on the “front-lines”. SSCP are operational technologists who are working as Network Security Engineers, Security Systems Analysts or Administrators. –The SSCP certification requires proficiency in 7 subject areas. –See the Web site at: http://www.isc2.org
© 2006 IBM Corporation Certification for systems Common Criteria  The Common Criteria enables corporate technologists a means of standardizing a common set of requirements for the security functions of IT products.  These standardized requirements are backed by the International Standards Organization (ISO/IEC15408:1999) and are known as the Common Evaluation Methodologies (CEM).  Using CEM we can evaluate between different application and appliances judging how best they address an organization’s security requirements.  In 1999, six countries (Canada, France, Germany, Netherlands, United Kingdom, United States) became signatory to Common Criteria 2.0 making it an international standard.  See the Web site at: http://www.commoncriteriaportal.org
© 2006 IBM Corporation Certification for processes  One challenge companies will face in complying with the regulations is choosing an appropriate methodology and developing a sequence of steps from which to evaluate their internal controls.  Here are two frameworks that are suitable to this task: –COSO Framework • This framework describes that internal controls should be comprised of five components and that all components must be in place in order for the internal control to be considered effective. –Control Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring –CoBIT: Control Objectives for Information and Technology (CoBIT) • The objective for creating COBIT was to interpret the COSO Framework specifically from an IT perspective, resulting in a framework that, according to the Information Systems Audit and Control Association (ISACA), is increasingly internationally accepted as good practice for control over information, IT and related risks.’ • In examining COBIT specifically to Sarbanes-Oxley, ITGI has published IT Control Objectives for Sarbanes-Oxley,’ resulting in a framework containing detailed IT processes and control objectives specific to financial reporting. • Like ISO 17799 the control objectives provide a common framework in what would otherwise require each organization to maintain individualized standards. –Being able to normalize IT governance standards allows organizations to adopt the best practices gleaned from experience.
© 2006 IBM Corporation Summary  Legislative and corporate governance and compliance requirements required that we create the means by which we manage information security and measure our compliance efforts.  Over the years methods have been developed by the industry and professional associations to ensure that a method existed by which standardized methods and best practices can be shared.  Common Criteria Certification allows consumers to evaluate different products using common guidelines  Personnel, systems, and processes can be certified as compliant with standards

More Related Content

PPT
Chapter 5 Planning for Security-students.ppt
byShruthi48
 
PDF
Chapter 10 security standart
bynewbie2019
 
PDF
Standards & Framework.pdf
bykarthikvcyber
 
PPTX
D1 security and risk management v1.62
byAlliedConSapCourses
 
PPT
Unit 4 standards.ppt
byClashWithGROUDON
 
PDF
Chapter 7 Managing Secure System.pdf
byAbuHanifah59
 
PDF
CNIT 160: Ch 2b: Security Strategy Development
bySam Bowne
 
PPTX
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
bykevlekalakala
 
Chapter 5 Planning for Security-students.ppt
byShruthi48
 
Chapter 10 security standart
bynewbie2019
 
Standards & Framework.pdf
bykarthikvcyber
 
D1 security and risk management v1.62
byAlliedConSapCourses
 
Unit 4 standards.ppt
byClashWithGROUDON
 
Chapter 7 Managing Secure System.pdf
byAbuHanifah59
 
CNIT 160: Ch 2b: Security Strategy Development
bySam Bowne
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
bykevlekalakala
 

Similar to zSecurity_L9_Standards and Policies.ppt

PPT
Standards & Framework.ppt
bykarthikvcyber
 
PPTX
Planning for security and security audit process
byDivya Tiwari
 
PDF
CNIT 160 Ch 4a: Information Security Programs
bySam Bowne
 
PPTX
Governance and management of IT.pptx
byPrashant Singh
 
PDF
GRCAlert Capabilities Deck - 2018
byRichard Marti - Principal
 
PDF
CNIT 160 Ch 4a: Information Security Programs
bySam Bowne
 
PPTX
FCS lecture 6.pptxlknemfenj dkcnd vkf dkjvn
byGulasalButaeva
 
PPTX
CISA Training - Chapter 2 - 2016
byHafiz Sheikh Adnan Ahmed
 
PPTX
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
bydrsajjad13
 
PDF
CNIT 160 4d Security Program Management (Part 4)
bySam Bowne
 
DOCX
crucet1crucet2crucet
byMargenePurnell14
 
PPT
Policy formation and enforcement.ppt
byImXaib
 
PPTX
crisc_wk_2a.pptx
bydotco
 
PPT
Developing an Information Security Program
byShauna_Cox
 
PPTX
NIST IT Standards for Local Governments 2010
byDonald E. Hester
 
PDF
1. Security and Risk Management
bySam Bowne
 
PDF
Accelerating Regulatory Compliance for IBM i Systems
byPrecisely
 
PPTX
Information security
byavinashbalakrishnan2
 
PDF
1 info sec+risk-mgmt
bymadunix
 
PPT
Lecture3.ppt
byTSampathKumar4
 
Standards & Framework.ppt
bykarthikvcyber
 
Planning for security and security audit process
byDivya Tiwari
 
CNIT 160 Ch 4a: Information Security Programs
bySam Bowne
 
Governance and management of IT.pptx
byPrashant Singh
 
GRCAlert Capabilities Deck - 2018
byRichard Marti - Principal
 
CNIT 160 Ch 4a: Information Security Programs
bySam Bowne
 
FCS lecture 6.pptxlknemfenj dkcnd vkf dkjvn
byGulasalButaeva
 
CISA Training - Chapter 2 - 2016
byHafiz Sheikh Adnan Ahmed
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
bydrsajjad13
 
CNIT 160 4d Security Program Management (Part 4)
bySam Bowne
 
crucet1crucet2crucet
byMargenePurnell14
 
Policy formation and enforcement.ppt
byImXaib
 
crisc_wk_2a.pptx
bydotco
 
Developing an Information Security Program
byShauna_Cox
 
NIST IT Standards for Local Governments 2010
byDonald E. Hester
 
1. Security and Risk Management
bySam Bowne
 
Accelerating Regulatory Compliance for IBM i Systems
byPrecisely
 
Information security
byavinashbalakrishnan2
 
1 info sec+risk-mgmt
bymadunix
 
Lecture3.ppt
byTSampathKumar4
 

Recently uploaded

PDF
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
PDF
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
PDF
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
DOCX
A Comprehensive Guide To Buy Verified PayPal Accounts_.docx
bysmartusapva.com
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PDF
The Modern Architect's Codex: Design Patterns in .NET 9
byVineet Sharma
 
PDF
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PPTX
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
PPTX
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
Clean Architecture with Vertical Slice Architecture in .NET 8
byVineet Sharma
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
A Comprehensive Guide To Buy Verified PayPal Accounts_.docx
bysmartusapva.com
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
The Modern Architect's Codex: Design Patterns in .NET 9
byVineet Sharma
 
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
Pitch Deck for MEVIA OS - No Apps, Infinite, Decentralized Operating System
byDr. Edwin Hernandez
 
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 

zSecurity_L9_Standards and Policies.ppt

  • 1.
    © 2006 IBMCorporation Introduction to z/OS Security Lesson 9: Standards and Policies
  • 2.
    © 2006 IBMCorporation Objectives  Describe governance, compliance and legal requirements that the business community operates under today  Understand the need for information security guidelines  Understand what system certification and evaluation are and why they are necessary  Explain regulatory acts and their benefits to corporations  Identify the components of an information security program
  • 3.
    © 2006 IBMCorporation Key Terms  Compliance  Governance Requirements  Policy  CIPP  CISO  GIAC, CISSP, and SSCP  Sarbanes-Oxley  COSO Framework  CoBIT
  • 4.
    © 2006 IBMCorporation Introduction  Implementing security on a system requires a plan.  Creating a plan requires guidelines.  Governments and standards bodies develop laws and guidelines which direct security policies.  Standards and guidelines bring ‘best practices’ to the IT industry.  Standards and guidelines put all IT shops on an even playing field when it comes to auditing and evaluations.
  • 5.
    © 2006 IBMCorporation Governance, compliance and legal requirements  Government and professional bodies impose strict control requirements through legislation or certification requirements  Organizations integrate these regulatory controls into their business practices.  It is easier to establish uniform standards and monitor their compliance rather than inspect each company to ensure that it is protecting customer identities and is of the utmost integrity, although governments may check.  Governments and standards boards impose standards or controls only to protect the viability of the corporate environment, consumer privacy and confidence.  The CEO and CISO have to be familiar with the legal requirements and ensure that their organization follows all the laws and implements the procedures necessary.
  • 6.
    © 2006 IBMCorporation Regulatory acts  There are two major categories of US laws regulating an organization and its IT operation. The first group covers core business security regulations, such as: –Basel II, Solvency II, IAS/IFRS, and HIPAA.  The second group includes the regulation of specific business processes related to IT security, such as: –FISMA, CobIT, British Standard 7799 (ISO 17799), Sarbanes- Oxley Act (US), and Homeland Security Act.  Although most of these acts are originated in the U.S., they already have been or will be adopted in other countries, especially in the European Union.  They apply to all companies acting in the U.S. or being registered at stock exchanges.
  • 7.
    © 2006 IBMCorporation Information security guidelines  Essential to managing our information business assets is the creation of the information security program.  Organizations create Critical Infrastructure Protection Programs (CIPP) to protect business-critical infrastructure.  Organizations, mostly in the public sector, have always had such security and control programs and processes with varying degrees of coherence and corresponding effectiveness.
  • 8.
    © 2006 IBMCorporation Information security programs  The Executive Information Security Policy, a component of the ISP, defines the scope of the policy and describes the need to protect information infrastructure in general.  Management needs to draft a document defining the program for:  the protection of information infrastructure and assets  the compliance with regulatory requirements  the creation of service level agreements with security included with partners  the creation of Service Level Requirements (SLR) of business unit communications  the creation of the office of the Chief Information Security Officer (CISO) to oversee the program  the update and change of the Corporate Information Security Policy documentation, that includes assigning of specific responsibilities so everyone knows what they are supposed to do and what is expected of them.
  • 9.
    © 2006 IBMCorporation System certification and evaluation  Certification involves assessment that all the prescribed measures and controls are in place and that qualified people have technical responsibility for maintaining them.  It is performed independently from the staff who maintain the system.  Certification can be divided into three main areas –Certification for technical personnel –Certification for systems –Certification for processes
  • 10.
    © 2006 IBMCorporation Certification for technical personnel  Global Information Assurance Certification (GIAC) –SysAdmin, Audit, Network, Security (SANS) Institute founded GIAC (Global Information Assurance Certification) in 1999 to develop a technical certification standard for security professionals. •See the organizational Web site at: http://www.giac.org/  Certified Information Systems Security Professional (CISSP) –Tests competence in the 10 domains or subject areas and in relevant work experience in the security field. –CISSPs are most often CISOs or senior level information security managers with policy or senior management responsibilities. –See the Web site at: http://www.isc2.org  Systems Security Certified Practitioner (SSCP) –targeted towards the information security technologists that are on the “front-lines”. SSCP are operational technologists who are working as Network Security Engineers, Security Systems Analysts or Administrators. –The SSCP certification requires proficiency in 7 subject areas. –See the Web site at: http://www.isc2.org
  • 11.
    © 2006 IBMCorporation Certification for systems Common Criteria  The Common Criteria enables corporate technologists a means of standardizing a common set of requirements for the security functions of IT products.  These standardized requirements are backed by the International Standards Organization (ISO/IEC15408:1999) and are known as the Common Evaluation Methodologies (CEM).  Using CEM we can evaluate between different application and appliances judging how best they address an organization’s security requirements.  In 1999, six countries (Canada, France, Germany, Netherlands, United Kingdom, United States) became signatory to Common Criteria 2.0 making it an international standard.  See the Web site at: http://www.commoncriteriaportal.org
  • 12.
    © 2006 IBMCorporation Certification for processes  One challenge companies will face in complying with the regulations is choosing an appropriate methodology and developing a sequence of steps from which to evaluate their internal controls.  Here are two frameworks that are suitable to this task: –COSO Framework • This framework describes that internal controls should be comprised of five components and that all components must be in place in order for the internal control to be considered effective. –Control Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring –CoBIT: Control Objectives for Information and Technology (CoBIT) • The objective for creating COBIT was to interpret the COSO Framework specifically from an IT perspective, resulting in a framework that, according to the Information Systems Audit and Control Association (ISACA), is increasingly internationally accepted as good practice for control over information, IT and related risks.’ • In examining COBIT specifically to Sarbanes-Oxley, ITGI has published IT Control Objectives for Sarbanes-Oxley,’ resulting in a framework containing detailed IT processes and control objectives specific to financial reporting. • Like ISO 17799 the control objectives provide a common framework in what would otherwise require each organization to maintain individualized standards. –Being able to normalize IT governance standards allows organizations to adopt the best practices gleaned from experience.
  • 13.
    © 2006 IBMCorporation Summary  Legislative and corporate governance and compliance requirements required that we create the means by which we manage information security and measure our compliance efforts.  Over the years methods have been developed by the industry and professional associations to ensure that a method existed by which standardized methods and best practices can be shared.  Common Criteria Certification allows consumers to evaluate different products using common guidelines  Personnel, systems, and processes can be certified as compliant with standards